Question #1032
A developer is using AWS KMS to manage encryption keys for sensitive data. The security policy mandates that any decommissioned keys must be rendered unusable immediately, with no possibility of recovery. The solution must maintain high availability and avoid any manual management of server infrastructure.
Which approach fulfills these requirements?
Use AWS KMS managed keys. When keys are decommissioned, schedule them for deletion.
Use customer managed keys with imported key material. Upon decommissioning, delete the imported key material.
Use customer managed keys. Delete the key material when decommissioned.
Use customer managed keys in a custom key store backed by AWS CloudHSM. Schedule deletion upon decommissioning.
Explanation
The correct answer is B because:
- Imported Key Material: When using customer managed keys with imported key material, deleting the imported key material immediately makes the key unusable. AWS KMS does not retain copies of the deleted key material, ensuring no recovery.
- Immediate Deletion: Unlike scheduling key deletion (Options A and D), which enforces a mandatory waiting period (7-30 days), deleting imported key material bypasses this delay.
- No Manual Infrastructure: AWS KMS manages the infrastructure, avoiding the need for manual server management (unlike Option D, which involves CloudHSM).
- Incorrect Options:
- A: Scheduled deletion includes a waiting period, violating the 'immediate' requirement.
- C: Regular customer managed keys do not allow manual deletion of key material; AWS manages it.
- D: Custom key stores with CloudHSM still require scheduling deletion, causing delays.
Key Points: Use imported key material for immediate, irreversible key decommissioning while leveraging AWS-managed infrastructure.
Answer
The correct answer is: B