Configuring and Operating CMKs for Encryption/Decryption

Correct Answer - B, C.

When users create a new CMK, the key material origin can be selected as External which means the key material will be imported.

Reference can be found in.

https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html.

Option A is incorrect: Because automatic key rotation is not an option for CMKs with imported key material.

Option B is CORRECT: Because Schedule key deletion can still be configured.

Option C is CORRECT: Because users can manually delete the key material.

After that, AWS KMS deletes the key material but does not delete the CMK or metadata.

Option D is incorrect: Because AWS KMS NEVER provides CLI command or API to export key material outside of KMS.

Option E is incorrect: Because users can reimport the key material.

However, the key material must be the same.

Refer to the above link.

Based on the scenario presented, you have created a Customer Master Key (CMK) and imported the key material from your own infrastructure, and you are using this CMK for encryption/decryption with various AWS services. The security team requires that the key material should be generated and maintained in your own infrastructure, indicating a need for a high level of control over the CMK.

The following are the configurations or operations that can be performed on these CMKs:

A. Enable automatic key rotation so that the key material is automatically rotated every year: Key rotation is a best practice for cryptographic keys. It is a security measure that helps to protect data by ensuring that the keys used for encryption/decryption are changed periodically, which reduces the impact of a compromised key. Therefore, enabling automatic key rotation can enhance the security of your data. However, since the security team requires that the key material be generated and maintained in your own infrastructure, you need to ensure that you have the capability to rotate the keys every year on your own infrastructure.

B. Schedule key deletion and set a waiting period of 7 to 30 days: Key deletion is another important security measure to prevent unauthorized access to data. By scheduling key deletion and setting a waiting period of 7 to 30 days, you can ensure that the key will not be deleted immediately, giving you enough time to take action if you discover that the key has been compromised. However, it is important to note that the security team requires that the key material be generated and maintained in your own infrastructure, so you need to ensure that you have control over the key deletion process.

C. Manually delete the imported key material: Deleting a CMK should be done with caution as it will render the data encrypted with the key unreadable. The security team may require that you take extra precautions when deleting the imported key material. This operation may only be performed if authorized by the security team and if it complies with the security policies and procedures established in your organization.

D. Export the key material through AWS KMS CLI: Exporting key material can be useful in situations where you need to migrate the key material to another system or perform forensic analysis on the key material. However, the security team requires that the key material be generated and maintained in your own infrastructure, and therefore exporting the key material through AWS KMS CLI may not be an option.

E. Import a different key material into the same CMK: This operation is not recommended in this scenario since the security team requires that the key material be generated and maintained in your own infrastructure. This would mean that any new key material used in the same CMK should also be generated and maintained in your own infrastructure.

In summary, the two operations that can be performed on the CMKs in this scenario are enabling automatic key rotation and scheduling key deletion. However, any operations performed on the CMKs should be done in compliance with the security policies and procedures established by the security team.