AWS Certified Security - Specialty: Rectifying Expiring KMS Customer Master Key

Rectifying Expiring KMS Customer Master Key

Prev Question Next Question

Question

You serve as a KMS Key Administrator for your company department.

A KMS customer master key (CMK) with imported key material is about to expire.

You need to use the same key material in the CMK and the application should use the same CMK.

Which option should be used to rectify this situation?

Answers

A. Navigate to the AWS KMS in the management console. Locate the KMS CMK with the Origin value of EXTERNAL. In the Key Material section, update the Expiration Date.

B. Encrypt the same key material and reimport the key material to the same CMK.

C. Generate a new key material. Download the wrapping key and import token. Encrypt the key material and import the key material into the KMS CMK.

D. Create a new KMS CMK. Download the wrapping key and import token. Encrypt the key material and import the key material into the new KMS CMK.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B.

Option A is incorrect because you can change the expiration date of a KMS key only by reimporting the same key material and specifying a new expiration date.

Option B is CORRECT because to change the expiration date of a KMS key, you must reimport the same key material and specify a new expiration date.

Option C is incorrect because you cannot import different key materials into a CMK.

Option D is incorrect because you should not use a new CMK as the same CMK needs to be used by the application.

Reference:

https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html https://docs.aws.amazon.com/kms/latest/APIReference/API_ImportKeyMaterial.html

In this scenario, the KMS customer master key (CMK) with imported key material is about to expire, and you need to use the same key material in the CMK, and the application should use the same CMK. Let's discuss the options provided and determine which one is the best fit.

Option A: Navigate to the AWS KMS in the management console. Locate the KMS CMK with the Origin value of EXTERNAL. In the Key Material section, update the Expiration Date. This option is incorrect because imported key material cannot be updated, and updating the expiration date is not possible either.

Option B: Encrypt the same key material and reimport the key material to the same CMK. This option is possible but unnecessary since the same key material already exists in the KMS CMK, and reimporting the same key material is not necessary.

Option C: Generate a new key material. Download the wrapping key and import token. Encrypt the key material and import the key material into the KMS CMK. This option is incorrect because generating new key material would not help maintain the same key material in the KMS CMK.

Option D: Create a new KMS CMK. Download the wrapping key and import token. Encrypt the key material and import the key material into the new KMS CMK. This option is the best fit because it allows you to maintain the same key material and create a new KMS CMK that can be used by the application.

To implement option D, follow these steps:

Create a new KMS CMK with the same key material as the expiring KMS CMK.
Download the wrapping key and import token for the new KMS CMK.
Encrypt the key material using the wrapping key.
Import the encrypted key material into the new KMS CMK using the import token.
Update the application to use the new KMS CMK.

In summary, option D is the correct solution because it allows you to maintain the same key material and create a new KMS CMK that can be used by the application.

Prev Question Next Question