You have an EBS volume attached to a running EC2 Instance that uses KMS for Encryption.
Someone has deleted the Customer Key which was used for the EBS encryption.
Which of the following options is needed so that the EC2 instance can still use the EBS volume?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
Option A is incorrect because creating a new CMK and attaching it to the exiting volume will not allow the data to be decrypted.
You cannot attach customer master keys after the volume is encrypted.
Option B is correct because the deletion of CMK has no immediate effect on the EC2 instance or the EBS volume because Amazon EC2 uses the plaintext data key-not the CMK-to encrypt the disk I/O to the EBS volume.
Option C is incorrect because you cannot use AWS Support to recover the key once the key has been deleted.
Option D is incorrect because once the key has been deleted, you cannot use Config to recover the key.
For more information on EBS Encryption with KMS, kindly refer to the following URLs:
https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-delete-key-material.htmlWhen an EBS volume is encrypted with a KMS customer master key (CMK), the data on the volume is encrypted using the CMK, and the CMK is used to encrypt the volume's data encryption key (DEK). Without the CMK, the data on the volume cannot be accessed. Therefore, if the CMK is deleted, the data on the volume becomes inaccessible.
In the given scenario, the CMK used to encrypt the EBS volume has been deleted, so the data on the volume is no longer accessible. To make the EC2 instance use the EBS volume again, a new CMK needs to be created and attached to the existing volume. This will allow the new CMK to be used to decrypt the DEK and access the data on the volume.
Option A, "Create a new Customer Key using KMS and attach it to the existing volume," is the correct answer. This option will create a new CMK in KMS and associate it with the EBS volume, allowing the data on the volume to be accessed again.
Option B, "Nothing is needed as the key deletion has no immediate effect on the EC2 instance or the EBS volume," is incorrect. As explained above, the deletion of the CMK will render the data on the EBS volume inaccessible.
Option C, "Request AWS Support to recover the key," is not a valid option. AWS does not provide a way to recover deleted CMKs, so this option is not feasible.
Option D, "Use AWS Config to recover the key," is also incorrect. AWS Config is a service that provides a detailed inventory of your AWS resources and their configuration histories, but it does not have the capability to recover deleted CMKs.
Therefore, the correct answer is option A.