Key Rotation

5 minutes 5 Questions

Key rotation is a process of generating a new version of a Customer Master Key (CMK) and discarding the previous version. This provides additional security by periodically updating the cryptographic material used to protect data. AWS KMS can automatically rotate CMKs annually. When a CMK is rotated, all data keys previously encrypted with the old version remain accessible, as the key metadata is maintained in AWS KMS. Users can also configure custom key rotation policies or manually rotate keys for additional control.

Key Rotation in AWS KMS - Guide and Exam Tips

What is Key Rotation:
Key Rotation in AWS KMS refers to the act of replacing a cryptographic key with a new one. This concept is critical for improving the security of your data by limiting the amount of time a specific key is active.

Why it is important:
Key rotation is an essential security practice because it limits the time available for a hostile entity to compromise a key and the amount of data encrypted by a single key. It also allows you to meet compliance requirements that demand periodic key rotation.

How it works:
Key rotation in AWS Key Management Service (KMS) works by generating a new AWS managed key for you every year. The earlier versions of the key are retained to decrypt data that they encrypted, but all new data is encrypted using the new version.

Exam Tips - Answering Questions on Key Rotation:
When answering questions on key rotation, remember:
- AWS KMS performs key rotation annually and automatically for AWS managed keys.
- Key rotation does not delete old key versions, ensuring past versions can still decrypt data.
- Key rotation occurs without impacting the applications using the keys.
- AWS provides the option to rotate user-created customer master key (CMK) every 1 – 3 years.
- Remember that you have to manually choose to enable key rotation when you manually create a CMK, it is not turned on by default.
Always refer back to the AWS documentation and practice tests to solidify your understanding.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Question 1

You have an application that uses Amazon KMS with Customer Master Keys (CMKs) for key rotation. You want to ensure the rotation happens every nine months. How can you set this up?

Use AWS Lambda to rotate encryption keys every nine months. Manually initiate the key rotation every nine months. Enable automatic key rotation, it will use custom intervals of nine months. Enable key rotation with AWS Config, and set custom interval to nine months.

Correct Answer: Manually initiate the key rotation every nine months.

Amazon KMS automatically rotates CMKs every year. You cannot change the automatic rotation interval; however, you can manually initiate key rotation as needed to meet your organization's requirements.

Question 2

A company's software solution encrypts all stored files using AWS Key Management Service (KMS). The company's security policy recommends that encryption keys are rotated at least once per year. Which method should be used?

Apply a data key as a CMK to enable rotation. Enable the automatic key rotation feature in the AWS KMS settings for the customer master key (CMK). Use AWS Secrets Manager to force AWS KMS key rotation. Rotate the keys manually by creating a new CMK and setting it as the default CMK.

Correct Answer: Enable the automatic key rotation feature in the AWS KMS settings for the customer master key (CMK).

Enabling the automatic key rotation feature in the AWS KMS settings for the CMK ensures the key is automatically rotated every year, in compliance with the company's security policy.

Question 3

You are responsible for managing access keys in an AWS environment. One of the IAM users is about to leave the company. What should you do to prevent unauthorized access?

Toggle the IAM user's keys inactive. Delete the IAM user's account. Delete the IAM user's access keys. Rotate the IAM user's keys, and change their password.

Correct Answer: Delete the IAM user's access keys.

Deleting an IAM user's access keys ensures that the user will no longer be able to authenticate programmatically, thus preventing unauthorized access to AWS resources.

Go Premium