AWS Certified Solutions Architect – Professional — Question 406

Which of the following is true of Amazon EBS encryption keys?

Answer options

• A. Amazon EBS encryption uses the Customer Master Key (CMK) to create an AWS Key Management Service (AWS KMS) master key.
• B. Amazon EBS encryption uses the EBS Magnetic key to create an AWS Key Management Service (AWS KMS) master key.
• C. Amazon EBS encryption uses the EBS Magnetic key to create a Customer Master Key (CMK).
• D. Amazon EBS encryption uses the AWS Key Management Service (AWS KMS) master key to create a Customer Master Key (CMK).

Correct answer: D

Explanation

Amazon EBS encryption utilizes the AWS Key Management Service (AWS KMS) master key to generate and manage the Customer Master Key (CMK) used for securing volumes. Options A, B, and C are incorrect because they misrepresent the key hierarchy or refer to non-existent concepts like the 'EBS Magnetic key' as the source for generating KMS master keys.