Which of the following are advantages of importing your own key material into to a CMK? (Choose 2)
1 – You can use key material from your own infrastructure which meets your own requirements
2 – You can manually delete the key any time you want without waiting 7-30 days
I dont think 2 is a correct answer, you can manually delete the "key material" imported but not the key, you must always schedule deletion of key 7-30 days.
"When you import key material, you can specify an expiration date. When the key material expires, AWS KMS deletes the key material and the customer master key (CMK) becomes unusable. You can also delete key material on demand. Whether you wait for the key material to expire or you delete it manually, the effect is the same. AWS KMS deletes the key material, the CMK’s key state changes to pending import, and the CMK is unusable. To use the CMK again, you must reimport the same key material."
1 Answers
Technically speaking, #2 is correct. When you delete the key material, as AWS states, "Deleting key material makes all data encrypted under the customer master key (CMK) unrecoverable unless you later import the same key material into the CMK. The CMK is not affected by this operation." The "gotcha" is, if you still have the key material it can be reimported.
The other "gotcha" is, "When you delete key material, the CMK becomes unusable right away. However, any data keys that AWS services are using are not immediately affected. This means that deleting key material might not immediately affect all of the data and AWS resources that are protected under the CMK, though they are affected eventually."
we need precision, waiting time is only for deleting the cmk ! deleting key material is like disabling the key, the CMK’s key state changes to pending import, and the CMK is unusable. but you can reverse the deletion of key material by reimporting the same key material into the CMK. In contrast, deleting a CMK is irreversible.