I’ve seen two questions on the exam regarding what to do when encountering a deleted CMK. I’ve read the KMS Whitepaper, and they seem to have a solution for when imported key material is deleted, but nothing regarding a deleted CMK. When a CMK is deleted:
Cannot encrypt data with that CMK
Cannot decrypt data that was encrypted with that CMK
The Backing key is deleted when the CMK is deleted
AWS says that any data that’s encrypted with that deleted CMK is lost. So I am left wondering what is the next step? The choices I was presented with imply there is more than just losing the data.
Aws enforces a deletion period of 7 to 30 days, after that your key is lost, and the only solution is to break the encryption of the key or lose the data.