You have been experimenting with the usage of KMS keys.
Along the way, you have created several CMK keys and used them in applications in different areas.
You now want to delete the keys which are no longer being used.
Which of the following options would you use to achieve this? (Select TWO.)
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - B and C.
The AWS Documentation mentions the following.
Deleting a customer master key (CMK) in AWS Key Management Service (AWS KMS) is destructive and potentially dangerous.
It deletes the key material and all metadata associated with the CMK, and is irreversible.
After a CMK is deleted, you can no longer decrypt the encrypted data under that CMK, which means that data becomes unrecoverable.
You should delete a CMK only when you are sure that you don't need to use it anymore.
If you are not sure, consider disabling the CMK instead of deleting it.
You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK.
AWS KMS is integrated with AWS CloudTrail, so all AWS KMS API activity is recorded in CloudTrail log files.
If you have CloudTrail turned on in the region where your customer master key (CMK) is located, you can examine your CloudTrail log files to view a history of all AWS KMS API activity for a particular CMK, and thus its usage history.
Option A is invalid since AWS Config will talk about resource changes but not usage on the AWS Keys.
Option D is invalid since we don't need to rotate keys because that is not the objective of the question.
For more information on deleting keys, please visit the below URL.
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.htmlTo delete the KMS keys which are no longer being used, we can follow these steps:
Use AWS Config: AWS Config can be used to see where all the keys have been used. By using AWS Config, we can get a list of all the KMS keys and check which ones have not been used for a long time. This will help us identify the keys that are no longer being used.
Use CloudTrail logs: CloudTrail logs can be used to see where all the keys have been used. By analyzing the CloudTrail logs, we can find out which keys have not been used for a long time and are therefore no longer needed.
Disable or delete the unused KMS keys: Once we have identified the unused KMS keys, we can either disable or delete them. Disabling a KMS key means that the key will still exist, but it will not be available for use. This is useful if we think we might need the key in the future. Deleting a KMS key means that the key will be permanently removed and cannot be recovered. This is a good option if we are sure that we no longer need the key.
Consider rotating the keys being used: We should also consider rotating the keys that are being used by applications and services. Key rotation helps to improve security by ensuring that the same key is not used for a long time. This can be done by creating a new KMS key and updating the applications and services to use the new key. Once all the applications and services have been updated, the old key can be disabled or deleted.
In summary, to delete KMS keys that are no longer being used, we should use either AWS Config or CloudTrail logs to identify the unused keys. We should then consider disabling or deleting the unused keys and rotating the keys that are being used.