Rotating Customer Master Keys (CMKs) for Enhanced Security
Question
You are working in a financial company as a DevOps engineer.
Your organization is using Customer Master Key (CMK) in KMS for several AWS services.
For the CMK, the key material was imported as the key material needs to be maintained on-premises instead of AWS.
According to the company rule, the key material must be rotated every year.
How should you rotate the CMK?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because after the new CMK is created, we can use the CLI command can update the alias.
Option B is incorrect because there is no automatic key rotation for CMK with imported key material.
Option C is incorrect because users cannot import different key material to the same CMK with imported key material.
A new CMK has to be created.
Option D is incorrect because the old CMK should not be deleted as KMS needs to decrypt data that the original CMK encrypted or else it would not be accessible.
Answer A - CLI Command provided below:
aws kms update-alias --alias-name alias/TestCMK --target-key-id 12345678-1234-1234-5678-123456789012
For more information on CMK and key rotation, refer to the URL provided below.
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually.As a DevOps engineer, you are responsible for rotating the Customer Master Key (CMK) in KMS for several AWS services that use it. The key material was imported as it needs to be maintained on-premises instead of AWS. You must rotate the CMK every year according to company policy. There are four possible answers to how you should rotate the CMK, and we'll evaluate each one below.
A. Create a new CMK with new key material. Change the target CMK of the key alias to the new one.
This approach involves creating a new CMK with new key material and then changing the target CMK of the key alias to the new one. This method ensures that you have a fresh key with new material, but you need to update all the applications that use this key. It can be a cumbersome process for large environments and can cause downtime during the switch-over.
B. Enable automatic key rotation for the CMK through KMS CLI.
This method involves enabling automatic key rotation for the CMK through KMS CLI, which is the preferred way to handle key rotation. With automatic key rotation enabled, KMS will automatically rotate the CMK every year, and it will create a new version of the key with new material, so you don't have to worry about creating a new key and updating the applications.
C. Reimport the new key material to the CMK every year through KMS CLI.
This method involves reimporting the new key material to the CMK every year through KMS CLI. While this approach can work, it requires manual intervention, which can be time-consuming and error-prone.
D. Delete the old CMK first. Create a new CMK with new key material using the same key name and alias.
This method involves deleting the old CMK and creating a new CMK with new key material using the same key name and alias. This approach is not recommended because it can cause downtime during the switch-over, and it can also break any applications that use the old key.
In conclusion, the best approach for rotating the CMK is to enable automatic key rotation for the CMK through KMS CLI. It provides an automated and secure way to rotate the CMK, ensures that you have fresh key material, and minimizes downtime during the process.
