Certified Security - Specialty

Sign Up Free or Log In to participate!

Deleted CMK Best Practice

I’ve seen two questions on the exam regarding what to do when encountering a deleted CMK. I’ve read the KMS Whitepaper, and they seem to have a solution for when imported key material is deleted, but nothing regarding a deleted CMK. When a CMK is deleted:

Cannot encrypt data with that CMK

Cannot decrypt data that was encrypted with that CMK

The Backing key is deleted when the CMK is deleted

AWS says that any data that’s encrypted with that deleted CMK is lost. So I am left wondering what is the next step? The choices I was presented with imply there is more than just losing the data.


Aws enforces a deletion period of 7 to 30 days, after that your key is lost, and the only solution is to break the encryption of the key or lose the data.

0 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?