AWS Certified Security – Specialty — Question 447

A company uses AWS Key Management Service (AWS KMS). During an attempt to attach an encrypted Amazon Elastic Block Store (Amazon EBS) volume to an Amazon EC2 instance, the attachment fails. The company discovers that a customer managed key has become unusable because the key material for the key was deleted. The company needs the data that is on the EBS volume.

A security engineer must recommend a solution to decrypt the EBS volume's encrypted data key. The solution must also attach the volume to the EC2 instance.

Which solution will meet these requirements?

Answer options

• A. Import new key material into the key. Attach the EBS volume.
• B. Restore the EBS volume from a snapshot that was taken before the deletion of the key material.
• C. Reimport the same key material that originally was imported into the key. Attach the EBS volume.
• D. Create a new key. Import new key material. Attach the EBS volume.

Correct answer: C

Explanation

When key material imported into an AWS KMS key is deleted, any data encrypted under that key becomes unreadable unless the exact same key material is reimported. Importing different key material into the existing key or creating a brand-new key will not allow decryption of the existing EBS data key because the cryptographic material would not match. Restoring from a snapshot also fails to solve the issue because the snapshot itself remains encrypted with the original, now unusable key.