AWS Certified Security – Specialty — Question 452

A company's application uses standard tier secure string parameters from AWS Systems Manager Parameter Store. The application is receiving error messages when the company tries to update a parameter. The parameter uses an AWS Key Management Service (AWS KMS) customer managed key for encryption and decryption.

What are the reasons for the error messages? (Choose two.)

Answer options

• A. The application does not have the kms:Encrypt permission for the customer managed key.
• B. The customer managed key is already being used to encrypt another secure string parameter.
• C. Standard tier secure string parameters cannot use a customer managed key for encryption.
• D. The customer managed key that is specified in the application has its key state set to Disabled.
• E. The customer managed key that is specified in the application is using a key alias instead of a key ID.

Correct answer: A, D

Explanation

To successfully update a secure string parameter encrypted with a customer managed key, the calling identity must have the kms:Encrypt permission, and the key itself must be in an Enabled state. If either the permission is missing (Option A) or the key state is Disabled (Option D), the update operation will fail. Customer managed keys can be reused across multiple parameters, can be referenced by aliases, and are fully supported by standard tier parameters, making the other options incorrect.