ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS-SysOps All Questions

View all questions & answers for the AWS-SysOps exam
Go to Exam

Exam AWS-SysOps topic 1 question 749 discussion

Exam question from Amazon's AWS-SysOps
Question #: 749
Topic #: 1
[All AWS-SysOps Questions]

A SysOps Administrator is using AWS KMS with AWS-generated key material to encrypt an Amazon EBS volume in a company's AWS environment. The
Administrator wants to rotate the KMS keys using automatic key rotation, and needs to ensure that the EBS volume encrypted with the current key remains readable.
What should be done to accomplish this?

  • A. Back up the current KMS key and enable automatic key rotation.
  • B. Create a new key in AWS KMS and assign the key to Amazon EBS.
  • C. Enable automatic key rotation of the EBS volume key in AWS KMS.
  • D. Upload new key material to the EBS volume key in AWS KMS to enable automatic key rotation for the volume.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
by Jichu at July 1, 2020, 12:43 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Jichu
Highly Voted 2 years, 7 months ago
C is the correct answer
upvoted 5 times
yigido
2 years, 6 months ago
Answer is C, you need to create CMK AWS KMS supports optional automatic key rotation only for customer managed CMKs. https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works
upvoted 1 times
yigido
2 years, 6 months ago
Sorry B
upvoted 2 times
...
...
...
albert_kuo
Most Recent 9 months, 1 week ago
Selected Answer: C
Enabling automatic key rotation in AWS KMS ensures that new cryptographic key material is generated automatically on a regular basis. When automatic key rotation is enabled for the EBS volume key, AWS KMS will handle the rotation process for you, generating new key material while maintaining the ability to decrypt data encrypted with the previous key material.
upvoted 1 times
...
ZL23
2 years, 5 months ago
C. As my understanding, for a CMK it can be created by AWS-generated key material / import your own key material / create the key material in the AWS CloudHSM cluster associated with an AWS KMS custom key store. No matter which one, it can be either customer managed or AWS managed. On the other hand, for "automatic key rotation", it can happen on both customer managed or AWS managed CMKs, the difference is that one is optional for each 1 year and the other is required for each 3 years. Therefore, based on the description on this question, I took it as the SysOps is using a customer managed CMK (that's why he/she "wants" to rotate the key), so he/she just need to enable automatic key rotation via console or KMS API without creating a new CMK (especially it mentioned to ensure that the EBS volume encrypted with the "current key" remains readable ). https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works
upvoted 1 times
...
Kimle
2 years, 5 months ago
C is correct , The question say AWS-generated key material .. and customer managed CMK can be generated by material provided by aws or by importing material .. don't confuse it with AWS managed CMK which have rotation only each 3 years ..
upvoted 1 times
...
abhishek_m_86
2 years, 6 months ago
C. Enable automatic key rotation of the EBS volume key in AWS KMS.
upvoted 1 times
...
jackdryan
2 years, 6 months ago
I'll go with C
upvoted 1 times
...
Newguru2020
2 years, 6 months ago
Isn't the question mentioned that, Admin wants to use automatic Key rotation? In this case Ans C
upvoted 1 times
...
tifoz
2 years, 6 months ago
B Keywords are: - AWS-generated key material - automatic key rotation “AWS KMS supports optional automatic key rotation only for customer managed CMKs.” https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
upvoted 2 times
saki0915
2 years, 5 months ago
If you need to change the key due to this issue, you will need to recreate the volume. So B is incorrect. https://aws.amazon.com/premiumsupport/knowledge-center/ebs-change-encryption-key/?nc1=h_ls
upvoted 1 times
...
...
AWSTiger
2 years, 6 months ago
I prefer answer B reason being that AWS managed CMKs. You cannot manage key rotation for AWS managed CMKs. AWS KMS automatically rotates AWS managed CMKs every three years (1095 days). In order to enable key rotation for another year you need to create a new KEY and it will enable a yearly rotation - hence B being the best option me thinks.
upvoted 2 times
lydia_young
2 years, 6 months ago
That's righit. but, It just says that use automatic key rotation, there is no information about the period. So I'll go C
upvoted 2 times
...
...
Jomiky
2 years, 6 months ago
Why "A" cannot be a valid answer ?
upvoted 1 times
AWSTiger
2 years, 6 months ago
Key rotation changes only the backing key, you dont need to do a backup because AWS saves the backing key & keeps ie the ID's the same: When you enable automatic key rotation for a customer managed CMK, AWS KMS generates new cryptographic material for the CMK every year. AWS KMS also saves the CMK's older cryptographic material in perpetuity so it can be used to decrypt data that it encrypted. AWS KMS does not delete any rotated key material until you delete the CMK.
upvoted 2 times
MrCarter
2 years, 5 months ago
Perfect explanation straight from the documentation AWSTiger.
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago