AWS Certified Security – Specialty — Question 350

A security engineer is evaluating a company’s use of AWS Key Management Service (AWS KMS). The security engineer must implement a hybrid solution with two sets of keys to meet the following requirements:

• Set 1: The company needs granular control over the keys so that the company can maintain a copy of the keys in the key management infrastructure and reimport the keys at any time. The company needs the ability to set the expiration period to 3 days for the keys.
• Set 2: No restrictions exist regarding immediate key deletion. A waiting period of 14 days is acceptable for keys to be marked deleted.

Which solution will meet these requirements?

Answer options

• A. Use imported keys for Set 1. Use AWS managed keys for Set 2. For Set 1, set an expiration period and manually delete the keys after the expiration period has elapsed.
• B. Use imported keys for Set 1. Use AWS managed keys for Set 2. For Set 1, set an expiration period. AWS will automatically delete the keys after the expiration period has elapsed.
• C. Use AWS managed keys for Set 1. Use imported keys for Set 2. For Set 1, set an expiration period and manually delete the keys after the expiration period has elapsed.
• D. Use AWS managed keys for Set 1. Use imported keys for Set 2. For Set 1, set an expiration period. AWS will automatically delete the keys after the expiration period has elapsed.

Correct answer: B

Explanation

Imported key material in AWS KMS allows users to maintain external copies of keys, reimport them as needed, and configure an expiration date that triggers automatic deletion of the key material by AWS. Conversely, AWS managed keys are suitable for Set 2 since they do not require immediate manual deletion capabilities and can utilize standard deletion schedules. Therefore, using imported keys with automatic expiration for Set 1 and AWS managed keys for Set 2 perfectly meets all requirements.