SCS-C02 · Question #344
SCS-C02 Question #344: Real Exam Question with Answer & Explanation
The correct answer is A: Configure AWS KMS and use a custom key store.. Note: This question has a formatting problem - options A and D are identical ("custom key store"), and B and C differ only in capitalization ("Key store" vs "key store"). This suggests the original question was corrupted. More importantly, the marked answer (A - custom key store)
Question
A company needs to encrypt all of its data stored in Amazon S3. The company wants to use AWS Key Management Service (AWS KMS) to create and manage its encryption keys. The company's security policies require the ability to Import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed. How should a security engineer set up AWS KMS to meet these requirements?
Options
- AConfigure AWS KMS and use a custom key store.
- BConfigure AWS KMS and use the default Key store
- CConfigure AWS KMS and use the default key store
- DConfigure AWS KMS and use a custom key store.
Explanation
Note: This question has a formatting problem - options A and D are identical ("custom key store"), and B and C differ only in capitalization ("Key store" vs "key store"). This suggests the original question was corrupted. More importantly, the marked answer (A - custom key store) conflicts with AWS documentation. Here's the accurate explanation:
Why the default key store (B/C) is actually the correct approach: The three requirements - importing your own key material (BYOK), setting an expiration date, and deleting immediately - are all features of the default AWS KMS key store with imported key material. When you use ImportKeyMaterial, you can set an expiration date on the key material, and you can delete imported key material immediately (rendering the key unusable at once, bypassing the 7–30 day scheduled deletion waiting period).
Why "custom key store" (A/D) is wrong for these requirements: A custom key store (backed by AWS CloudHSM) does not support importing your own key material - key material is generated within the CloudHSM cluster. This disqualifies it from meeting the stated requirements.
Memory tip: Think "Import = Default store" - you BYO (Bring Your Own) key material to the default KMS key store. A custom key store is for when you need dedicated HSM hardware control, not for importing your own keys. If an exam question lists all three features together (import material + expiration + immediate delete), that's the imported-key-material pattern in the default store.
Bottom line: Treat this as a flawed question. The technically correct AWS answer is the default key store with imported key material, not a custom key store.
Topics
Community Discussion
No community discussion yet for this question.