Safe Option to Stop Usage of AWS KMS Keys

Answer: B.

Option A is incorrect because once you schedule the key deletion and the waiting period ends, we cannot enable or use the key again.

This would not be a safe option.

Option B is CORRECT because by disabling the key we can stop the usage of the key.

Once the key is being disabled, we can also know which particular AWS services use this key.

Option C is incorrect because setting up an alias for the key will not check to see if the keys are currently being used or not.

Option D is incorrect because changing the key material will not check if the keys are currently being used or not.

For more information on deleting keys from KMS, kindly refer to the below URL:

https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html

The safest option to stop using a couple of keys defined using the AWS KMS service without breaking any dependent services is to disable the keys.

Explanation:

A. Deleting the keys may cause a service outage for any services that depend on them. While there is a 7-day waiting period before the key is permanently deleted, it's not a safe option to delete keys without first checking the impact on the services that depend on them.

B. Disabling the keys prevents any further usage of the keys while maintaining any existing data encrypted with the keys. Services that use the keys will not be able to perform cryptographic operations that require the keys. Disabling keys does not delete them or remove any data that is encrypted using the keys.

C. Setting an alias for the key is not related to stopping the usage of the key. It's used to create a user-friendly identifier that maps to the AWS KMS key.

D. Changing the key material for the key is not related to stopping the usage of the key. It's used to rotate the cryptographic material for the key to ensure the security of the encrypted data.

In summary, the safest option to stop using a couple of keys defined using the AWS KMS service is to disable the keys.