Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 84 discussion

The best solution to meet these criteria is A. A customer managed key that uses customer provided key material.

You can only schedule the deletion of a customer managed key. You cannot delete AWS managed keys or AWS owned keys. https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html

Correct answer is A. You can select your KMS key with imported key material expiration date. https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-managing.html

AWS Managed Key (AWS KMS): AWS managed keys (AWS KMS keys) are created, managed, and rotated by AWS KMS. AWS automatically handles key rotation for these keys. With an AWS managed key, you can set the key rotation interval, and AWS KMS will automatically rotate the key material. Expiration: While AWS managed keys don't have an explicit "expiration" property, you can achieve similar functionality by configuring key rotation every 90 days. This ensures that the key material is automatically rotated, effectively providing a new key every 90 days. Options A and B refer to customer managed keys, and the expiration of key material would need to be managed manually by the customer. Option D mentions GnuPG, which is not applicable for managing AWS EBS volume encryption keys. Therefore, option C (AWS managed key) is the most suitable choice for this scenario.

You may set an expiration period for an imported key. AWS KMS will automatically delete the key material after the expiration period. You can also delete imported key material on demand. In both cases the key material itself is deleted but the KMS key reference in AWS KMS and associated metadata are retained so that the key material can be re-imported in the future. Keys generated by AWS KMS do not have an expiration time and cannot be deleted immediately; there is a mandatory 7 to 30 day wait period. All customer managed KMS keys, regardless of whether the key material was imported, can be manually disabled or scheduled for deletion. In this case the KMS key itself is deleted, not just the underlying key material. https://aws.amazon.com/kms/faqs/

A will be the answer. The key word in the question is automatically expires. For answer B and C, it does not have the expiration date option. It only has the rotate option.

Option C. A customer managed key (option A) that uses customer provided key material would not have the automatic expiration capability by default.

When you import key material, you can set an optional expiration time. https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-managing.html

A sounds legit.

Definitely A

A is correct - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/import-key-material.html

correct