Receive Immediate Notifications for AWS KMS Key Rotations
Question
Your company is making extensive use of the AWS KMS service.
They have defined a number of CMK keys.
They need to be notified immediately whenever a rotation of a key is carried out.
Which of the following options should you use to ensure you get notified on the same?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A.
The AWS Documentation mentions the following.
Option A is CORRECT because the CloudWatch Event rule can quickly identify the key rotation event and notify the team through an SNS notification.
Option B is incorrect because the event source should be "aws.kms" and the "detail-type" should be "KMS CMK Rotation".
Option C is incorrect because the "detail-type" should be "KMS CMK Rotation".
Option D is incorrect because AWS Config does not have a solution out of the box.
You have to write a custom rule with a Lambda function.
And it cannot provide a real-time notification.
For more information on monitoring keys in the KMS service, please visit the below URL.
https://docs.aws.amazon.com/kms/latest/developerguide/monitoring-cloudwatch.html
The correct answer to this question is A. Configure a CloudWatch Event rule to check if the detail-type is "KMS CMK Rotation". Register an SNS topic to provide the notifications.
Explanation: AWS Key Management Service (KMS) is a fully managed service that allows you to create and control the encryption keys used to encrypt your data. When a Customer Master Key (CMK) is rotated, a new key is generated and used for all new encryption operations, while the old key is retained and used for decryption of previously encrypted data. The key rotation process is automatic and occurs every year by default.
To get notified immediately whenever a CMK key is rotated, you can use CloudWatch Events to monitor the KMS CMK Rotation event. CloudWatch Events is a service that allows you to respond to events that occur within your AWS environment.
Option A is the correct answer because it correctly uses CloudWatch Events to monitor the KMS CMK Rotation event by checking the detail-type of the event. When a CMK key rotation event is detected, an SNS topic is notified to provide the necessary notifications to the concerned parties.
Option B is incorrect because it registers a Lambda function to provide notifications instead of an SNS topic. While it is possible to use a Lambda function to send notifications, SNS is more suitable for this use case as it simplifies the process of sending notifications.
Option C is incorrect because it uses the wrong detail-type to monitor the event. The correct detail-type to monitor the KMS CMK Rotation event is "KMS CMK Rotation" and not "aws.kms.key.rotation".
Option D is incorrect because it uses AWS Config to monitor key rotation events. AWS Config is a service that allows you to assess, audit, and evaluate the configuration of your AWS resources. However, it is not suitable for monitoring events in real-time as it only provides periodic reports on the configuration of your resources.