exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 205 discussion

A company has an AWS Key Management Service (AWS KMS) customer managed key with imported key material. Company policy requires all encryption keys to be rotated every year.

What should a security engineer do to meet this requirement for this customer managed key?

  • A. Enable automatic key rotation annually for the existing customer managed key.
  • B. Use the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually.
  • C. Import new key material to the existing customer managed key. Manually rotate the key.
  • D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
m_ch333
2 months, 1 week ago
Selected Answer: D
D. - you cannot enable automatic key rotation for a KMS key with imported key material - You can reimport the same key material, but you cannot import different key material into that KMS key https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-considerations.html
upvoted 1 times
...
IPLogic
3 months, 1 week ago
Selected Answer: D
The correct approach to meet the requirement of rotating the encryption key annually for a customer managed key with imported key material is: D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key. Automatic key rotation is not supported for keys with imported key material. Therefore, you need to manually manage the rotation by creating a new key and updating the alias to point to the new key each year.
upvoted 1 times
IPLogic
3 months, 1 week ago
Option C (Import new key material to the existing customer managed key. Manually rotate the key) is not suitable because AWS KMS does not support re-importing key material into an existing key. Once key material is imported into a KMS key, it cannot be changed or re-imported. Therefore, the correct approach is to create a new customer managed key, import the new key material into this new key, and then update the key alias to point to the new key (Option D).
upvoted 1 times
...
...
723993f
3 months, 3 weeks ago
Selected Answer: C
c is the answer, d is unnecessary work kms cmk = metadata (id, other field) + imported material (crypto) thus kms cmk can continue to be as is with the same id, and we can import new material to it why not d - there is no mention of an alias being used, and no its not obvious, one must mention that an alias was created and being used by apps for D to be a viable solution
upvoted 1 times
molerowan
3 days, 2 hours ago
Imported key material cannot be replaced in the same KMS key https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-considerations.html
upvoted 1 times
...
...
dhewa
4 months, 3 weeks ago
Selected Answer: D
To comply with the policy of rotating encryption keys annually, the recommended approach is to create a new customer managed key, import new key material to this new key, and then update the key alias to point to the new key. This ensures that the key rotation is handled correctly and securely.
upvoted 1 times
...
imymoco
4 months, 3 weeks ago
Why not C? I think C is correct. D is viable, but it hasmore operational overhead
upvoted 1 times
...
gkaself
5 months ago
Selected Answer: D
Correct answer is D
upvoted 2 times
...
mikelord
5 months, 2 weeks ago
Selected Answer: D
Option D make more sense
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago