ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A financial-services startup is moving customer account data to an object storage bucket in a public IaaS cloud. The data must be encrypted at rest, and auditors have mandated enforcement of separation of duties:
Application micro-services should be able to encrypt and decrypt objects only.
Security engineers, not developers, must control key rotation, disabling, and deletion. Which key-management approach BEST meets these requirements while minimizing operational overhead?
Implement application-layer encryption using a single symmetric key stored in the source-code repository and rotate it manually when needed.
Generate keys in an on-premises HSM, import them into the cloud KMS, and deny the cloud applications any KMS permissions.
Create a customer-managed key in the cloud KMS, grant only encrypt/decrypt permissions to the application role, and restrict key administration (rotation, disable, delete) to the security team.
Keep the default service-managed encryption keys and schedule periodic bulk re-encryption of all objects.
Using a customer-managed key (CMK) created in the provider's native key-management service satisfies the control objectives without adding excessive complexity. A CMK can be configured so that:
The application's IAM role receives only the "Encrypt" and "Decrypt" permissions for that specific key, enabling data processing but not key administration.
Security administrators are granted the separate "kms:Create*, kms:Disable*, kms:ScheduleKeyDeletion" and rotation permissions, allowing them to manage the key lifecycle. This enforces separation of duties and least privilege, while still benefiting from the provider's built-in redundancy, auditing, and automated annual rotation for CMKs. Relying on fully provider-managed keys (service-managed encryption) does not give the security team control over rotation or deletion. Importing on-premises HSM keys can meet the control objective but adds significant operational burden and eliminates automatic rotation. Embedding a static symmetric key in application code violates key-management best practices and offers no separation of duties.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a customer-managed key (CMK) in a cloud KMS?
Open an interactive chat with Bash
What is separation of duties and why is it important in key management?
Open an interactive chat with Bash
Why is importing on-premises HSM keys into a cloud KMS less efficient?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Concepts, Architecture and Design
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .