Exam AWS Certified Security - Specialty topic 1 question 22 discussion

A is the best answer I see here: https://aws.amazon.com/kms/faqs/ Q: Do I have to re-encrypt my data after keys in AWS KMS are rotated? If you choose to have AWS KMS automatically rotate keys, you don’t have to re-encrypt your data. AWS KMS automatically keeps previous versions of keys to use for decryption of data encrypted under an old version of a key. All new encryption requests against a key in AWS KMS are encrypted under the newest version of the key. If you manually rotate your imported or custom key store keys, you may have to re-encrypt your data depending on whether you decide to keep old versions of keys available.

B- Comment: Automatic key rotation has the following benefits: The properties of the CMK, including its key ID, key ARN, region, policies, and permissions, do not change when the key is rotated. You do not need to change applications or aliases that refer to the CMK ID or ARN. After you enable key rotation, AWS KMS rotates the CMK automatically every year. You don't need to remember or schedule the update. However, automatic key rotation has no effect on the data that the CMK protects. It does not rotate the data keys that the CMK generated or re-encrypt any data protected by the CMK, and it will not mitigate the effect of a compromised data key. You might decide to create a new CMK and use it in place of the original CMK. This has the same effect as rotating the key material in an existing CMK, so it's often thought of as manually rotating the key. Manual rotation is a good choice when you want to control the key rotation schedule. It also provides a way to rotate CMKs with imported key material.

Option B reduces the exposure of data if the original key is compromised since all previously encrypted data is re-encrypted with a new key. By re-encrypting data with a new CMK, you are essentially limiting the impact of a key compromise to data that was encrypted with the compromised key. Option A only involves rotating the master key for future operations but does not address previously encrypted data. In the event of a key compromise, any data encrypted by the old key would still be at risk.

I think A is better, compared to B.

This is a tricky question. The focus is on minimizing the potential scope of data exposed by a possible future key compromise. If rotating the key without re-encrypting previous encrypted data, that will NOT minimize the scope of exposed data. In case of compromised key, it is OBLIGATORY to re-encrypt data with a new, or what is the point of rotating the key?! That being said, generating a new key and re-encrypting data with it will be the solution for a compromised key issue to minimize the scope of data exposed. Best answer is B.

Must be B so that you don't use the compromised key again for the new data..

Correct answer is 'A'. The question asking to find the scope of the data which has been compromised if specific key is compromised. If old or future version of keys are compromised. then we can find which data has been encrypted with the compromised key version. this way we can find out the scope.

Correct answer is 'A'. The question asking to find the scope of the data which has been compromised if specific key is compromised. If old or future version of keys are compromised. then we can find which data has been encrypted with the compromised key version. this way we can find out the scope.

ReRead the question, I misunerstood it at first, key element in the question is that 'what if the key WILL be compromised" I read those who supported A and those who supported B, I think the Answer is A, but at first i mis-read the question and i thought its asking on how to protect data that exists when a key was compromised - if it was compromised when the data exists when the key was compromised. if its for the future - auto rotation works. I vote A after reading

A is the Answer

A is the Answer all are not applicable

The answer is B. Do your own research. don't just choose the majority side. Automatic Key Rotation can't help in case of a compromised key. Look at the AWS Docs. automatic key rotation has no effect on the data that the KMS key protects. It does not rotate the data keys that the KMS key generated or re-encrypt any data protected by the KMS key, and it will not mitigate the effect of a compromised data key. https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

A - Their talking about best practices, not when a security breach occur. Under normal operations, as best practice the option A is the best practice

Ans: A 100%

New Question: A company uses AWS KMS with CMKs and manual key rotation to meet regulatory compliance requirements. The security team wants to be notified when any keys have not been rotated after 90 days. Which solution will accomplish this? A. Configure AWS KMS to publish to an Amazon SNS topic when keys are more than 90 days old. B. Configure an Amazon CloudWatch Events event to launch an AWS Lambda function to call the AWS Trusted Advisor API and publish to an Amazon SNS topic. C. Develop an AWS Config custom rule that publishes to an Amazon SNS topic when keys are more than 90 days old. D. Configure AWS Security Hub lo publish to an Amazon SNS topic when keys are more than 90 days old.

I think B..

"A" should work with automatic rotation and encrypting the new data, so even if a key is compromised only limited data is exposed.