Q83 — AWS SCS-C02 Ch.1

Question 83 of 100 | ← Chapter 1

A security engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys. Which solution meets these requirements?

Correct Answer: B. Use KMS with AWS imported key material and then use the DeleteImportedKeyMaterial API to remove the key material if necessary.

Explanation

AWS KMS客户自有密钥支持导入外部密钥材料(B)。AWS官方文档指出,使用DeleteImportedKeyMaterial API可立即删除导入的密钥材料,使密钥不可用。AWS托管密钥(A)的ScheduleKeyDeletion需等待最短7天,无法满足立即删除。CloudHSM(C)需自行管理HSM集群,增加运维负担。Systems Manager Parameter Store(D)非专用密钥管理服务,不适合大规模加密场景。