Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in understanding the difference between immediate and scheduled key deletion in AWS KMS and how key material removal affects key lifecycle. In production, this boils down to knowing exactly how KMS APIs enforce deletion and the management overhead around imported key material. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
InnoData Solutions is a fintech startup that leverages AWS KMS to manage encryption keys for securing sensitive customer data. Their development team requires a highly available key management solution that eliminates any manual server or infrastructure maintenance. Additionally, there is a strict security policy that mandates immediate deletion of encryption keys once keys are no longer needed, without any delay period. The solution must also minimize operational overhead while ensuring compliance with these deletion constraints.
The Requirement: #
Design a solution that supports immediate deletion of encryption keys in AWS KMS with zero manual infrastructure management and ensures high availability.
The Options #
- A) Use AWS KMS managed keys. When the keys are no longer required, schedule the keys for immediate deletion.
- B) Use customer managed keys with imported key material. When the keys are no longer required, delete the imported key material.
- C) Use customer managed keys. When the keys are no longer required, delete the key material.
- D) Use customer managed keys and an AWS CloudHSM key store. When the keys are no longer required, schedule the keys for immediate deletion.
Google adsense #
leave a comment:
Correct Answer #
C
Quick Insight: The Developer Imperative #
The main consideration here is the behavior of AWS KMS customer managed keys (CMKs) with and without imported key material regarding deletion.
AWS managed keys cannot be deleted immediately—they have a mandatory waiting period.
Customer managed keys with imported key material can have the key material deleted immediately without scheduling key deletion, effectively disabling the key immediately.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option C
The Winning Logic #
Customer managed CMKs in AWS KMS give you granular control. When you delete the key material (using the DeleteKeyMaterial API), the key slips immediately into a disabled and unusable state without needing to schedule deletion and wait the default 7-30 day waiting period. This satisfies the immediate delete requirement. It also does not require managing any compute infrastructure, as KMS is a fully managed service. This approach is highly available, operationally simple, and aligns perfectly with developer requirements.
The Trap (Distractor Analysis) #
- Option A: AWS managed keys cannot be scheduled for immediate deletion. The shortest deletion window is a minimum 7-day waiting period, so this does not meet immediate deletion requirements.
- Option B: Customer managed keys with imported key material allow deleting only the material (so disables keys immediately), but the question is framed ambiguously here—deleting imported key material matches option C’s behavior, but the actual API signal is deleting key material, not just imported keys (also imported keys require specialized management).
- Option D: Using CloudHSM-backed keys adds operational complexity, and deletion still requires scheduling and waiting, so it does not meet the immediate requirement.
The Technical Blueprint #
# Deleting key material from a customer managed CMK without imported material disables it immediately.
aws kms delete-key-material --key-id <key-id>
Note: This command only works for CMKs with imported key material. For standard CMKs without imported key material, you have to schedule key deletion.
The Comparative Analysis #
| Option | API Complexity | Operational Overhead | Immediate Deletion Support | Use Case |
|---|---|---|---|---|
| A | Low - basic KMS API | Low | No (mandatory waiting period) | AWS-managed keys, simplest management |
| B | Medium - manage imported material | Higher (manage imported key material lifecycle) | Yes (via imported key material deletion) | Customer managed with imported keys |
| C | Medium - delete key material API | Low | Yes | Customer managed keys with deletable key material |
| D | High - CloudHSM integration | High | No | Customer managed keys with HSM-backed security |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick Customer Managed Keys deleting key material directly when you see a requirement for immediate key deletion without waiting periods.
Real World #
In real environments, imported key material is sometimes avoided due to operational overhead unless compliance dictates very strict control. Most teams use customer managed KMS keys and schedule deletions unless a disabling immediate effect is critical.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.