AWS Certified Security – Specialty — Question 500

A Security Engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys.
Which solution meets these requirements?

Answer options

• A. Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.
• B. Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.
• C. Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.
• D. Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.

Correct answer: B

Explanation

AWS KMS with imported key material allows for the immediate deletion of key material using the DeleteImportedKeyMaterial API, satisfying the requirement for immediate deletion while maintaining a highly scalable, low-management service. In contrast, standard KMS keys deleted via ScheduleKeyDeletion require a mandatory waiting period of 7 to 30 days, and AWS managed keys cannot be deleted at all. AWS CloudHSM requires significant administrative management, and Systems Manager Parameter Store is not designed for native, seamless S3 integration for object encryption.