AWS Certified Security – Specialty — Question 39

Which option for the use of the AWS Key Management Service (KMS) supports key management best practices that focus on minimizing the potential scope of data exposed by a possible future key compromise?

Answer options

• A. Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data.
• B. Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations.
• C. Change the CMK alias every 90 days, and update key-calling applications with the new key alias.
• D. Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys.

Correct answer: B

Explanation

The correct answer is B because generating a new Customer Master Key (CMK) and re-encrypting existing data with it effectively limits the exposure of data in the event of a key compromise. Options A, C, and D do not fully address the risk of data exposure as they either leave previously encrypted data vulnerable or do not involve a re-encryption process with a new key.