I enable encryption on an S3 bucket that I have created with the following selections.
Refer to the figure below. With the KMS encryption selected as (aws/s3), which of the following statement is NOT true?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
Option A is incorrect.
AWS managed KMS keys cannot be deleted unlike their Customer Managed counterparts.
Option B is CORRECT.
AWS managed KMS keys can only be rotated automatically compared to the Customer Managed KMS keys that can be rotated automatically or manually.
Manual rotation of keys provides greater control over the keys & makes it more secure and difficult to compromise.
Option C is incorrect.
AWS KMS integrates CloudTrail that will record calls to KMS by various users, roles, and other AWS services.
All API calls to KMS are captured as events by CloudTrail that can be logged to destinations like S3 or send them to CloudWatch for analysis.
Option D is incorrect.
AWS managed KMS keys cannot be managed, rotated or their policies changed by a user.
They can only be viewed within the account.
Customer-managed KMS keys, on the other hand, can be fully controlled by a user for maintaining their key policies, IAM policies, Enabling/disabling them, rotating them, etc...
References:
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html https://youtu.be/SOnJyqwGn1I