AWS Certified Security – Specialty — Question 253

A company needs to encrypt all of its data stored in Amazon S3. The company wants to use AWS Key Management Service (AWS KMS) to create and manage its encryption keys. The company's security policies require the ability to import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed.
How should a security engineer set up AWS KMS to meet these requirements?

Answer options

• A. Configure AWS KMS and use a custom key store. Create a customer managed CMK with no key material. Import the company's keys and key material into the CMK.
• B. Configure AWS KMS and use the default key store. Create an AWS managed CMK with no key material. Import the company's keys and key material into the CMK.
• C. Configure AWS KMS and use the default key store. Create a customer managed CMK with no key material. Import the company's keys and key material into the CMK.
• D. Configure AWS KMS and use a custom key store. Create an AWS managed CMK with no key material. Import the company's keys and key material into the CMK.

Correct answer: C

Explanation

The correct answer is C because it involves configuring AWS KMS with a customer managed CMK, which allows for importing key material, setting expiration dates, and deleting keys as needed. Options A and D use a custom key store, which is not necessary for the requirements stated. Option B employs an AWS managed CMK, which does not allow for importing key material, thus failing to meet the company's needs.