A mobile application uses credentials saved in AWS Secrets Manager for accessing data from the Amazon RDS database. To meet audit compliance, Security Manager has requested you to modify AWS KMS keys which are used to encrypt secrets in AWS Secret Manager. You modified AWS KMS CMK using the Secrets Manager console.
Which of the following additional configurations must be done before new encryption keys are functional?

Answer options:

A.Update old CMK as deleted in AWS KMS.
B.Update the secret value with “UpdateSecret”.
C.Update the encrypted secret value manually from the AWS Secrets Manager console.
D.Update the encrypted secret value using rotating secrets.

Correct Answer: B
Whenever an AWS KMS CMK is modified for secrets in AWS Secrets Manager, the additional secret value should be updated using “UpdateSecret”. This decrypts the secret with the old CMK and encrypts using the new CMK in AWS KMS. If the old CMK is deleted before updating secrets, secrets cannot be decrypted, and the content of the secrets is lost.
Option A is incorrect as with deleting old CMK, Secret Manager will not be able to decrypt the keys, and all content will be lost. Old CMK should be disabled or deleted only once the secret value is updated using “UpdateSecret”.
Options C & D are incorrect as updating encrypted secret values is not necessary post modifying AWS KMS keys.
For more information on modifying the AWS KMS key used by a secret in AWS Secrets Manager, refer to the following URL,
https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html