Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty Data Protection KMS Clarification

  • Data Protection KMS Clarification

  • Jar-B

    Member
    May 22, 2023 at 5:22 am

    Hi team,

    Looking at this question for the Section Based – Data Protection:

    As part of security policies for your new AWS account, you enabled encryption by default for EBS volumes so that all new EC2 instances have their EBS volumes encrypted automatically. You created a symmetric Customer Master Key (CMK) used to encrypt all volumes. After a few days of testing, you created your EC2 instances but accidentally deleted your CMK used for encrypting your EBS volumes.

    Which of the following actions will help you recover data from all of your encrypted volumes?

    The correct answer for this is:

    Migrate the data from the encrypted volume to an unencrypted volume.

    I just need some clarification on this since the referenced documentation has no assumption that the CMK was deleted. How can migrating the data from the encrypted volume to an unencrypted volume if the CMK was deleted?

    Thanks.

    • This discussion was modified 10 months, 1 week ago by  Jar-B.
  • Gerome-TutorialsDojo

    Member
    May 26, 2023 at 11:40 am

    Hi Jar-B,

    Thanks for posting your question.

    If the CMK cannot be restored or you don’t have access to restore it, you can create a new CMK. Take note that the new CMK will have a different key ID and won’t be able to directly decrypt the data encrypted with the previous CMK.

    In this case, you will need to create a new unencrypted EBS volume and attach it to an EC2 instance. Then copy the data from the encrypted volume to the new unencrypted volume.

    • Use tools like “dd” or file-level copying utilities (e.g., rsync) to copy the data from the encrypted volume to the unencrypted volume.
    • Once the data transfer is complete, you can detach and delete the encrypted EBS volume.

    According to AWS docs, “When you have access to both an encrypted and unencrypted volume, you can freely transfer data between them. EC2 carries out the encryption and decryption operations transparently.”

    https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#migrate-data-encrypted-unencrypted

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam on your first try!

    Regards,

    Gerome @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now