ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 473 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 473
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company uses AWS Organizations to manage several AWs accounts. The company processes a large volume of sensitive data. The company uses a serverless approach to microservices. The company stores all the data in either Amazon S3 or Amazon DynamoDB. The company reads the data by using either AWS Lambda functions or container-based services that the company hosts on Amazon Elastic Kubernetes Service (Amazon EKS) on AWS Fargate.

The company must implement a solution to encrypt all the data at rest and enforce least privilege data access controls. The company creates an AWS Key Management Service (AWS KMS) customer managed key.

What should the company do next to meet these requirements?

  • A. Create a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoDB. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.
  • B. Create an IAM policy that denies the kms:Decrypt action for the key. Create a Lambda function than runs on a schedule to attach the policy to any new roles. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.
  • C. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.
  • D. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by cloudenthusiast at June 2, 2023, 3:22 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
cloudenthusiast
Highly Voted 2 years ago
Selected Answer: C
Option C provides the appropriate measures to encrypt all data at rest and enforce least privilege data access controls: Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS: This ensures that only authorized services or resources that require access to the encrypted data can decrypt it using the AWS KMS customer managed key. By allowing decryption only for specific services, you can enforce least privilege access controls. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key: By implementing a Service Control Policy (SCP), you can enforce the use of the specified encryption key for creating S3 buckets and DynamoDB tables. This prevents the creation of unencrypted data resources and ensures consistent encryption practices across the organization.
upvoted 5 times
AgboolaKun
1 year, 6 months ago
I am leaning towards C as well but I cannot find any AWS documentation that explains that SCP can actually be used for this type of high level functionality.
upvoted 1 times
...
...
kret
Most Recent 1 year, 2 months ago
Selected Answer: D
s3:CreateBucket action cannot be limited with a specific encryption key config, so C is wrong.
upvoted 1 times
...
LazyAutonomy
1 year, 3 months ago
Selected Answer: D
Answer must be D. C is wrong because as per https://docs.aws.amazon.com/AmazonS3/latest/userguide/list_amazons3.html - the s3:x-amz-server-side-encryption* condition keys are not available for the s3:CreateBucket action. If C was worded differently to say "Create an SCP that denies the upload of unencrypted objects into S3 buckets and DynamoDB tables" then C would be correct, because the s3:PutObject action has the s3:x-amz-server-side-encryption* condition keys. Btw, SCPs are totally capable of this sort of enforcement.
upvoted 3 times
...
kejam
1 year, 6 months ago
Selected Answer: C
Answer C SCP to prevent unencrypted uploads ensures even if the bucket is created without kms, it won't allow unencrypted data at rest. Basically forcing Ops to re-create the bucket correctly. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_s3.html DynamoDB encrypts data at rest by default https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html
upvoted 1 times
...
Salah21
1 year, 7 months ago
Selected Answer: D
As far as I know, you can't use an SCP to deny the creation of S3 buckets and DynamoDB tables that are not encrypted with the key. This functionality is way too high level for an SCP.
upvoted 2 times
yorkicurke
1 year, 5 months ago
https://repost.aws/questions/QUUsKRARa1TmywIed1_9JpbA/scp-to-enable-block-s3-public-access
upvoted 1 times
...
...
kiwi123
1 year, 9 months ago
Selected Answer: D
I would select D
upvoted 2 times
...
francinetanzx
1 year, 11 months ago
Selected Answer: D
Same as kuber2023, not sure if C is the right answer as I was not able to find the right condition key to use for this scenario: https://docs.aws.amazon.com/AmazonS3/latest/userguide/list_amazons3.html But it is definitely possible to use a config rule (s3-bucket-server-side-encryption-enabled) to check for publicly accessible buckets and send notifications (it can also be expanded to enforce automatic remediation to delete those buckets...) https://asecure.cloud/a/ar_ssm_s3_bucket_encryption/
upvoted 2 times
...
kuber2023
1 year, 11 months ago
Selected Answer: D
C might look right but I don't think there's any such condition available that can restrict the creation of S3 bucket or DDB table using SCP. Happy to be proven wrong!
upvoted 3 times
...
6_8ftwin
1 year, 11 months ago
Selected Answer: C
Service principals can be used in a key policy. It is highly recommended to use a the aws:SourceArn or aws:SourceAccount global condition keys. https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html
upvoted 1 times
...
danielklein09
1 year, 12 months ago
Selected Answer: C
SCP to enforce use of KMS
upvoted 2 times
...
Toptip
2 years ago
Selected Answer: C
C makes sense
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel