AWS Config Rule for S3 Bucket Encryption with KMS | Key Rotation Management Guide | YourSiteName

Key Rotation Management for AWS Managed Key aws/s3

Question

The cloud monitoring team is using AWS Config to perform security checks.

One Config rule is to check if S3 buckets are encrypted using KMS.

After the rule was executed, several S3 buckets were found to be non-compliant because they were not encrypted.

To fix the non-compliance of these buckets, you have enabled the Default Encryption to be KMS using AWS Managed Key aws/s3

Your manager asked you how to manage the key rotation for this key.

How should you answer this question?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: D.

Option A is incorrect because users cannot disable the key rotation for AWS managed keys.

Instead, users can configure the key rotation for customer-managed keys.

Option B is incorrect because the frequency of AWS manage key rotation is 3 years and not 1 year.

Option C is incorrect because users cannot configure the key rotation for AWS managed keys.

Option D is CORRECT because for AWS managed keys, users cannot manage the key rotation.

And the key is automatically rotated every 3 years (1095 days).

For more information on AWS KMS key rotation, kindly refer to the URL provided below.

https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html.

In this scenario, the AWS Config rule is used to check whether S3 buckets are encrypted using KMS. After running the rule, non-compliant buckets were found and to fix this, the default encryption was enabled to use KMS with the aws/s3 managed key. The question now is about how to manage key rotation for this key.

AWS Key Management Service (KMS) is a fully managed service that allows you to create and control encryption keys used to protect your data. By default, AWS KMS keys are rotated automatically every year. However, there are some options for managing key rotation.

Option A states that the automatic key rotation can be enabled or disabled through the AWS console or CLI and that the key is rotated every year. This is partially correct because you can enable or disable the automatic key rotation through the AWS console or CLI, but the frequency of rotation can also be configured. The default rotation period for KMS keys is one year, but you can choose to have them rotated more frequently. Therefore, Option A is not the correct answer.

Option B suggests that the key rotation is managed by AWS, and the user cannot disable it. The key is rotated every year. This is incorrect because the frequency of the rotation can be customized. Therefore, Option B is not the correct answer.

Option C is the correct answer. It states that the automatic key rotation can be enabled or disabled through the AWS console or CLI, and the frequency of rotation can also be configured. You can choose to have the key rotated every month, every year, or every three years. Therefore, Option C is the correct answer.

Option D suggests that the key rotation is managed by AWS, and the key is automatically rotated every three years. This is incorrect because the frequency of rotation can be customized. Therefore, Option D is not the correct answer.

In summary, for the aws/s3 managed key used to encrypt S3 buckets, key rotation can be managed through the AWS console or CLI, and the frequency of rotation can be customized. Therefore, Option C is the correct answer.