Key Rotation for Customer Master Keys (CMK)
Question
A company has several Customer Master Keys (CMK), some of which have imported key material.
Which of the following option could be done by the security team for the key rotation? Select 2 answers from the options given below.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer: C and D.
Option A is incorrect because you cannot enable automatic key rotation for a CMK with imported key material.
Option B is incorrect because you cannot import new material to an existing CMK.
Option C is CORRECT because AWS allows manual rotation of CMK key with imported key material using the AWS Console or CLI.
Option D is CORRECT because we can always import a new key material to a new CMK and then point the key alias to the new key.
Option E is incorrect because deleting an existing CMK will not create a new CMK.
One key per CMK.
When you import key material into a CMK, the CMK is permanently associated with that key material.
You can reimport the same key material, but you cannot import different key materials into that CMK.
Also, you cannot enable automatic key rotation for a CMK with imported key material.
However, you can manually rotate a CMK with imported key material.
For more information on key rotation, kindly refer to the below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.htmlFor more information on importing keys, kindly refer to the below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.htmlThe security team has several options to rotate customer master keys (CMKs) with imported key material in AWS Key Management Service (KMS). Key rotation is important to maintain the security of data encrypted with these keys, and to meet regulatory and compliance requirements.
The two correct options for the security team are:
A. Enable Automatic Key rotation for CMKs that have imported key material: AWS KMS provides an automatic key rotation feature that can rotate the key material for a CMK on a yearly basis. However, this feature is not available for all CMK types, and only works for those that use AWS-managed key material, not imported key material. Therefore, this option is not applicable for CMKs with imported key material.
C. Use CLI or console to rotate CMKs that have imported key material explicitly: This option involves manually rotating the key material for a CMK with imported key material using the AWS Management Console or AWS CLI. To rotate a CMK, the security team must create a new CMK with a new key material, and then re-encrypt the data using the new CMK. Once the data has been re-encrypted, the old CMK can be disabled or deleted. This process must be repeated periodically to maintain the security of the data.
The remaining options are:
B. Import new key material to an existing CMK: This option allows the security team to import new key material to a CMK with imported key material, but does not rotate the key material. This option is useful if the key material has been compromised, or if the key material has expired.
D. Import new key material to a new CMK and point the key alias to the new CMK: This option creates a new CMK with new key material, and then updates the key alias to point to the new CMK. This option does not rotate the key material for an existing CMK, but can be useful if the security team wants to use a different type of key material or to create a backup CMK.
E. Delete an existing CMK and a new default CMK will be created: This option deletes an existing CMK, but does not rotate the key material. AWS KMS will create a new default CMK, but this may not be desirable if the security team wants to control the key material and the encryption process.
In conclusion, the correct options for rotating customer master keys with imported key material are to manually rotate the keys using the AWS Management Console or AWS CLI, or to enable automatic key rotation for CMKs that use AWS-managed key material.
