You serve as a KMS Key Administrator for your company department.You've created a new KMS CMK with imported key material.
You're importing the key material into the KMS CMK.
The import operation is failing.
What are the possible causes of this problem (Select TWO)?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B and D.
Option A is incorrect because for importing key material, you need to firstly create a symmetric CMK whose origin is
EXTERNAL.
.
Option B is CORRECT because the key material for customer-managed CMK must be a 256-bit symmetric key.
Option C is incorrect because a user cannot update the KMS CMK state.
Option D is CORRECT because the import token has a 24-hour expiration time.
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-get-public-key-and-token.htmlWhen importing key material into a KMS CMK, there are several possible reasons why the import operation may fail. Two possible causes of this problem are:
A. You did not update the key material Origin value to INTERNAL. B. Your key material is not a 256-bit symmetric key.
Here is a more detailed explanation of each:
A. You did not update the key material Origin value to INTERNAL: When you import key material into a KMS CMK, you must specify the key material's origin. The origin indicates where the key material came from and can be either EXTERNAL or INTERNAL. If you are importing key material that was generated by an external source, you must update the key material's Origin value to EXTERNAL before importing it into the KMS CMK. However, if the key material was generated internally, then you must update the key material's Origin value to INTERNAL before importing it into the KMS CMK. Failure to set the Origin value correctly can result in a failed import operation.
B. Your key material is not a 256-bit symmetric key: KMS only supports the import of symmetric key material that is 256 bits in length. If the key material you are attempting to import is not 256 bits in length, the import operation will fail. Additionally, the key material must be formatted correctly. KMS expects key material to be in binary format, but if the key material is in a different format (e.g., Base64), the import operation will fail.
C. You did not update the KMS CMK state to “Pending Import”: When you create a KMS CMK with imported key material, you must specify the initial state of the key. The state can be either Enabled or Pending Import. If you do not update the KMS CMK state to "Pending Import" before attempting to import the key material, the import operation will fail.
D. You waited longer than 24 hours and the import token has expired: When you initiate an import key material operation, KMS generates an import token that is valid for 24 hours. If you do not complete the import operation within 24 hours, the import token will expire, and the import operation will fail. To resolve this issue, you will need to initiate a new import key material operation and complete the import within 24 hours.
In summary, if you encounter a failed import operation when importing key material into a KMS CMK, you should check that the key material's Origin value is set correctly (INTERNAL for internal key material), the key material is a 256-bit symmetric key in binary format, the KMS CMK state is set to "Pending Import," and that you complete the import operation within 24 hours of generating the import token.