AWS Certified Security – Specialty — Question 501

A company stores data on an Amazon EBS volume attached to an Amazon EC2 instance. The data is asynchronously replicated to an Amazon S3 bucket. Both the EBS volume and the S3 bucket are encrypted with the same AWS KMS Customer Master Key (CMK). A former employee scheduled a deletion of that CMK before leaving the company.
The company's Developer Operations department learns about this only after the CMK has been deleted.
Which steps must be taken to address this situation?

Answer options

• A. Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance.
• B. Recover the data from the EBS encrypted volume using an earlier version of the KMS backing key.
• C. Make a request to AWS Support to recover the S3 encrypted data.
• D. Make a request to AWS Support to restore the deleted CMK, and use it to recover the data.

Correct answer: A

Explanation

Because the Amazon EBS volume is currently attached to an active Amazon EC2 instance, the plaintext data key is already loaded in the hypervisor's memory, allowing the instance to read and copy the data. Once an AWS KMS CMK is deleted, AWS Support cannot recover it, making the data in the Amazon S3 bucket and any detached EBS volumes permanently unrecoverable. Therefore, the only way to save the data is to copy it directly from the running instance before it is stopped or the volume is detached.