SCS-C02 Question #258: Real Exam Question with Answer & Explanation

Question

A company uses AWS Key Management Service (AWS KMS). During an attempt to attach an encrypted Amazon Elastic Block Store (Amazon EBS) volume to an Amazon EC2 instance, the attachment fails. The company discovers that a customer managed key has become unusable because the key material for the key was deleted. The company needs the data that is on the EBS volume. A security engineer must recommend a solution to decrypt the EBS volume's encrypted data key. The solution must also attach the volume to the EC2 instance. Which solution will meet these requirements?

Options

• AImport new key material into the key. Attach the EBS volume.
• BRestore the EBS volume from a snapshot that was taken before the deletion of the key material.
• CReimport the same key material that originally was imported into the key. Attach the EBS volume.
• DCreate a new key. Import new key material. Attach the EBS volume.

Explanation

When the key material for a customer-managed KMS key is deleted, the key becomes unusable, and any encrypted data that relies on that key, such as an EBS volume, cannot be decrypted. However, if a snapshot of the EBS volume was taken before the key material was deleted, you can restore the volume from that snapshot. The snapshot would still be associated with a valid KMS key or use the default encryption mechanism, allowing you to decrypt and access the data. Importing new key material or reimporting the same key material would not help because the EBS volume is tied to the specific key that had its material deleted, and once a key's material is deleted, it cannot be restored.

No community discussion yet for this question.