Timed Set 3 – Q7

[AJam]

The question is as follows:

A healthcare organization has a data retention policy where a secure destruction process must be run when the patient data approaches the end of its retention period. The organization needs a cryptographic implementation that can perform cryptographic erasures within at least 7 days when the data is no longer required. An AWS Key Management Service (AWS KMS) custom key store must be used to manage the customer master keys (CMKs).

Which of the following must be implemented to meet these specifications?

– Create a Hash-Based Message Authentication Code (HMAC) KMS key
– Utilize a customer-managed CMK in AWS KMS
– Make use of an AWS-managed CMK.
– Use a CMK with an imported key material

Below is the explanation provided

The option that says: Make use of an AWS-managed CMK is incorrect. AWS-managed CMKs are practical for most use cases, but they don’t let you schedule deletion or regulate the cryptographic erasure procedure. AWS automatically handles the deletion and cryptographic erasure of CMKs it manages, with no option to set a waiting period or initiate the erasure within a defined timeframe.

—

I don’t think there is anything such as “AWS-Managed CMK”. According to https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html it should be “AWS managed keys”. Please update to remove confusion.

[Neil-TutorialsDojo]

Hi AJam,

AWS-managed CMK is an old term, which “AWS managed keys” replaced. Thank you for bringing this up, and rest assured that we will update this as soon as possible.

If you have any further questions or concerns, please feel free to reach out.

Thank you for your understanding.

regards,
Neil @ Tutorials Dojo