Your company uses AWS KMS for the management of its customer keys.
From time to time, there is a requirement to delete existing keys as part of housekeeping activities.
What can be done during the deletion process to verify that the key is no longer being used?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because we can use AWS CloudTrail to check for any API request made to the existing KMS key.
This can help us verify if the keys are being used or not.
Options B is incorrect because Key policies cannot be used to check and verify if the keys are being used or not.
Option C is incorrect because key rotation is used when you retire an encryption key and replace the old key by generating a new cryptographic key.
It cannot be used to check the last access time for those keys.
Options D is incorrect because the KMS key does not have IAM policies.
For more information on deleting keys, kindly refer to the below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-creating-cloudwatch-alarm.htmlWhen deleting existing keys from AWS KMS as part of housekeeping activities, it is important to verify that the key is no longer being used to avoid any potential impact on your applications or services. Here are the explanations for each option:
A. Use CloudTrail to see if any KMS API request has been issued against existing keys.
CloudTrail can be used to track AWS API calls made to KMS services, including creating, deleting, enabling, and disabling keys, as well as encrypting and decrypting data. By analyzing CloudTrail logs, you can see if any KMS API requests have been issued against the existing keys you want to delete. This will provide you with insight into the usage of the keys, and if any of your applications or services are still using them.
B. Use Key policies to see the access level for the keys.
KMS Key policies determine who can use and manage the keys. By examining the key policies for the existing keys you want to delete, you can determine which users or roles have permissions to access the keys. This will help you understand which applications or services are using the keys, as well as the level of access they have.
C. Rotate the keys once before deletion to see if other services are using the keys.
Rotating the keys before deletion will force any applications or services that are still using the keys to request a new key, revealing their usage. If any requests are made, you can analyze the request logs to determine which services or applications are still using the keys.
D. Change the IAM policy for the keys to see if other services are using the keys.
By changing the IAM policy for the keys, you can limit access to the keys or block them altogether. If any requests are made to the keys after the IAM policy change, you can analyze the request logs to determine which services or applications are still using the keys.
Out of these options, A is the most appropriate method to verify that the key is no longer being used. CloudTrail provides a comprehensive audit trail of all AWS API calls, allowing you to easily identify any usage of the keys. Option C is also a valid approach, but it may not be practical to rotate keys before every deletion, particularly if you have a large number of keys. Option B and D can be used to understand who has access to the keys, but they may not reveal usage information.