A company has been using the AWS KMS service for managing its keys.
They are planning on carrying out housekeeping activities and deleting keys that are no longer in use.
What are the ways that can be incorporated to see which customer master keys are still being used? Choose 2 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B and C.
Option A is incorrect because seeing how long ago the key was created would not determine the usage of the key.
Option B is CORRECT because determining who or what currently has access to a customer master key (CMK) might help you, determine how widely the CMK was used and whether it is still needed.
Option C is CORRECT because AWS KMS is integrated with AWS CloudTrail, so all AWS KMS API activity is recorded in CloudTrail log files.
If you have CloudTrail turned on in the region where your customer master key (CMK) is located, you can examine your CloudTrail log files to view a history of all AWS KMS API activity for a particular CMK, and thus its usage history.
You might be able to use a CMK's usage history to help you determine whether or not you still need it.
Option D is incorrect because Trusted Advisor does not provide such information.
For more information on determining the usage of CMK keys, kindly visit the following URL:
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-determining-usage.htmlWhen a company uses the AWS KMS service to manage their keys, they may accumulate a large number of customer master keys over time. To ensure proper housekeeping, it is important to identify which keys are no longer in use so that they can be safely deleted. There are several ways to determine which customer master keys are still being used, and two possible answers to this question are:
B. Examine CMK permissions to determine the scope of potential usage. C. Examine AWS CloudTrail logs to determine the actual usage.
Here's a detailed explanation of each option:
B. Examine CMK permissions to determine the scope of potential usage: When a customer master key is used, it must have appropriate permissions granted to the AWS services or users that require access. By examining the key policy associated with each customer master key, one can determine which services and users have access to the key. This provides insight into the scope of potential usage of each key. If a key has not been used by any service or user in a long time, it may be a good candidate for deletion.
C. Examine AWS CloudTrail logs to determine the actual usage: AWS CloudTrail is a service that records API calls made in an AWS account. By examining CloudTrail logs, one can determine which AWS services and users have actually used each customer master key. This provides insight into the actual usage of each key, rather than just the potential usage. If a key has not been used in a long time, it may be a good candidate for deletion.
A. Determine if the age of the customer master key is over 90 days: While this option may seem reasonable at first glance, the age of a customer master key is not a reliable indicator of whether it is still being used or not. A key may have been created a long time ago but may still be actively used by one or more services or users. On the other hand, a key may have been created recently but may not have been used at all. Therefore, relying solely on the age of a key is not a good way to determine whether it can be safely deleted.
D. Check Trusted Advisor to see if the customer master keys can be safely deleted: Trusted Advisor is a tool provided by AWS that gives recommendations on how to optimize an AWS account. While it may provide some insight into the usage of customer master keys, it is not specifically designed to identify which keys are no longer in use. Therefore, it is not a reliable way to determine which keys can be safely deleted.