You have an AWS KMS key that you disable. What is the immediate effect on services using this key?
Think about what disabling a key means for its usability.
Disabling a KMS key prevents any encryption or decryption operations using that key. It does not delete the key or rotate it automatically.
You want to allow a user to decrypt data encrypted with a specific KMS key. Which IAM action must be included in the policy?
Decrypting data requires a specific permission related to reading encrypted content.
The kms:Decrypt action allows a user to decrypt ciphertext that was encrypted under a KMS key.
You want to ensure your encryption keys rotate automatically without downtime for your application. Which approach is best?
Think about how KMS supports key rotation natively.
Enabling automatic key rotation on a customer managed key allows KMS to create new cryptographic material yearly while keeping the same key ARN, so applications do not need changes.
You want to follow the principle of least privilege when granting access to KMS keys. Which practice aligns best?
Think about combining policies to limit access effectively.
Using both key policies and IAM policies to restrict access to only required actions and keys follows least privilege and improves security.
You attempt to decrypt ciphertext using a KMS key that is scheduled for deletion but not yet deleted. What error will AWS KMS return?
Consider the key's state when scheduled for deletion.
A KMS key scheduled for deletion is in a pending deletion state and cannot be used for cryptographic operations, causing a KMSInvalidStateException error.