Exam4Training

What should a security engineer do to meet this requirement for this customer managed key?

A company has an AWS Key Management Service (AWS KMS) customer managed key with imported key material Company policy requires all encryption keys to be rotated every year

What should a security engineer do to meet this requirement for this customer managed key?

A. Enable automatic key rotation annually for the existing customer managed key

B. Use the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually

C. Import new key material to the existing customer managed key Manually rotate the key

D. Create a new customer managed key Import new key material to the new key Point the key alias to the new key

Answer: D

Explanation:

For customer managed keys with imported key material, AWS KMS does not rotate them automatically. Therefore, to adhere to the rotation policy, the security engineer needs to manually import new key material to rotate the key annually.

Now, let’s see why the other options are not suitable:

A. Enable automatic key rotation annually for the existing customer managed key.

This option would be suitable for AWS managed keys and not for customer managed keys with imported key material, as AWS KMS doesn’t automatically rotate keys with imported material.

B. Use the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually.

Though it’s possible to automate the rotation process using AWS Lambda, this option doesn’t mention importing new key material, which is a necessary step in the rotation of customer-managed keys with imported key material.

D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key.

Creating a new customer managed key and pointing the alias to the new key would work, but it’s a more complex process compared to simply importing new key material into the existing key. Therefore, it is not the most efficient solution to meet the requirement.

Latest SCS-C02 Dumps Valid Version with 235 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Exit mobile version