Your company use AWS KMS for management of its customer keys. From time to time, there is a requirement to delete existing keys as part of housekeeping activities.
What can be done during the deletion process to verify that the key is no longer being used.
A . Use CloudTrail to see if any KMS API request has been issued against existing keys
B . Use Key policies to see the access level for the keys
C . Rotate the keys once before deletion to see if other services are using the keys
D . Change the IAM policy for the keys to see if other services are using the keys
Answer: A
Explanation:
The AWS lentation mentions the following
You can use a combination of AWS CloudTrail, Amazon CloudWatch Logs, and Amazon
Simple Notification Service (Amazon SNS) to create an alarm that notifies you of AWS
KMS API requests that attempt to use a customer master key (CMK) that is pending
deletion. If you receive a notification from such an alarm, you might want to cancel deletion
of the CMK to give yourself more time to determine whether you want to delete it
Options B and D are incorrect because Key policies nor IAM policies can be used to check
if the keys are being used.
Option C is incorrect since rotation will not help you check if the keys are being used. For more information on deleting keys, please refer to below URL: https://docs.aws.amazon.com/kms/latest/developereuide/deletine-keys-creatine-cloudwatch-alarm.html
The correct answer is: Use CloudTrail to see if any KMS API request has been issued against existing keys Submit your Feedback/Queries to our Experts
Leave a Reply