A mobile application uses credentials saved in AWS Secrets Manager for accessing data from the Amazon RDS database.
To meet audit compliance, Security Manager has requested you to modify AWS KMS keys which are used to encrypt secrets in AWS Secret Manager.
You modified AWS KMS CMK using the Secrets Manager console. Which of the following additional configurations must be done before new encryption keys are functional?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: B.
Whenever an AWS KMS CMK is modified for secrets in AWS Secrets Manager, the additional secret value should be updated using “UpdateSecret”
This decrypts the secret with the old CMK and encrypts using the new CMK in AWS KMS.
If the old CMK is deleted before updating secrets, secrets cannot be decrypted, and the content of the secrets is lost.
Option A is incorrect as with deleting old CMK, Secret Manager will not be able to decrypt the keys, and all content will be lost.
Old CMK should be disabled or deleted only once the secret value is updated using “UpdateSecret”.
Options C & D are incorrect as updating encrypted secret values is not necessary post modifying AWS KMS keys.
For more information on modifying the AWS KMS key used by a secret in AWS Secrets Manager, refer to the following URL,
https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.htmlWhen you modify the AWS KMS customer master key (CMK) that is used to encrypt secrets in AWS Secrets Manager, there are additional configurations that must be done before the new encryption keys are functional. The correct answer is option B, which states that the secret value must be updated with the "UpdateSecret" command.
AWS Secrets Manager is a service that allows you to store and manage sensitive data such as API keys, passwords, and other credentials. The service encrypts this data using customer master keys (CMKs) from AWS KMS. By default, Secrets Manager uses the default CMK that is created automatically for you when you create an AWS account. However, you can also use your own CMKs to encrypt your secrets.
When you modify the CMK that is used to encrypt secrets in Secrets Manager, you need to update the secret value with the new CMK. This ensures that the secrets can still be decrypted using the new CMK.
Option A, updating the old CMK as deleted in AWS KMS, is not necessary for the new encryption keys to be functional. Deleting the old CMK may cause problems if the old key was used to encrypt other data in addition to the secrets stored in Secrets Manager.
Option C, updating the encrypted secret value manually from the AWS Secrets Manager console, is not necessary as the service will handle the encryption and decryption of secrets automatically.
Option D, updating the encrypted secret value using rotating secrets, is a good practice to ensure that your secrets are regularly rotated and kept secure. However, it is not necessary to perform this step when modifying the CMK used for encryption in Secrets Manager.
In summary, when modifying the CMK used for encryption in AWS Secrets Manager, the secret value must be updated with the "UpdateSecret" command to ensure that the new encryption keys are functional.