Certified Security - Specialty

Sign Up Free or Log In to participate!

The lesson does not explain why you would want to go through the trouble of configuring an external CMK

Exactly what benefit do you get from using an external CMK?


It’s actually explained in the next lecture "KMS Part 4" @3:32

1 Answers

In the KMS documentation I found this


When you use imported key material, you remain responsible for the key material while allowing AWS KMS to use a copy of it. You might choose to do this for one or more of the following reasons:

To prove that you generated the key material using a source of entropy that meets your requirements.

To use key material from your own infrastructure with AWS services, and to use AWS KMS to manage the lifecycle of that key material within AWS.

To set an expiration time for the key material in AWS and to manually delete it, but to also make it available again in the future. In contrast, scheduling key deletion requires a waiting period of 7 to 30 days, after which you cannot recover the deleted CMK.

To own the original copy of the key material, and to keep it outside of AWS for additional durability and disaster recovery during the complete lifecycle of the key material.



Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?