AWS Certified Security – Specialty — Question 265

A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon
EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days.
Which solution meets these criteria?

Answer options

• A. A customer managed CMK that uses customer provided key material
• B. A customer managed CMK that uses AWS provided key material
• C. An AWS managed CMK
• D. Operation system-native encryption that uses GnuPG

Correct answer: A

Explanation

Importing your own key material into a customer managed KMS key allows you to set an expiration date and time, after which AWS KMS automatically deletes the key material. Neither AWS-managed keys nor customer managed keys with AWS-generated key material support automatic expiration of key material. Operating system-native encryption using GnuPG is not an AWS KMS-based solution for EBS volume encryption.