ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 487 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 487
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1, the company cannot access the key that was used to encrypt the original database.

What should the company do to set up the snapshot in us-west-1 with proper encryption?

  • A. Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret. Use this secret to encrypt the snapshot in us-west-1.
  • B. Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.
  • C. Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:kms:us-west-1as the principal.
  • D. Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:rds:us-west-1 :* as the principal.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by cloudenthusiast at June 2, 2023, 7:44 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
6_8ftwin
Highly Voted 1 year, 12 months ago
Selected Answer: B
"If you copy an encrypted snapshot across Regions, you must specify a KMS key valid in the destination AWS Region. It can be a Region-specific KMS key, or a multi-Region key." https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-copy-snapshot.html#aurora-copy-snapshot.Encryption
upvoted 8 times
...
yorkicurke
Most Recent 1 year, 5 months ago
Selected Answer: B
Option C & D: --> why they are wrong AWS KMS keys are regional resources and cannot be accessed directly from another region. which we are trying to do in step C and D. However, AWS KMS does support multi-region keys [which we are not using here but to explain]. Each set of related multi-Region keys has the same key material and key ID, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS.
upvoted 1 times
...
[Removed]
1 year, 8 months ago
Selected Answer: B
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-copy-snapshot.html#aurora-copy-snapshot.Encryption Handling encryption You can copy a snapshot that has been encrypted using a KMS key. If you copy an encrypted snapshot, the copy of the snapshot must also be encrypted. If you copy an encrypted snapshot within the same AWS Region, you can encrypt the copy with the same KMS key as the original snapshot. Or you can specify a different KMS key. If you copy an encrypted snapshot across Regions, you must specify a KMS key valid in the destination AWS Region. It can be a Region-specific KMS key, or a multi-Region key. For more information on multi-Region KMS keys, see Using multi-Region keys in AWS KMS.
upvoted 1 times
...
Noexperience
1 year, 10 months ago
Selected Answer: B
To set up the snapshot in us-west-1 with proper encryption, you should create a new customer managed key in the us-west-1 Region. Then, use this new key to encrypt the snapshot when copying it to the us-west-1 Region. This ensures that the snapshot remains encrypted while also allowing you to comply with the necessary encryption requirements in the target Region.
upvoted 1 times
...
cloudenthusiast
2 years ago
Selected Answer: B
Encryption with a customer managed key: The original Amazon Aurora DB cluster in the us-east-1 Region is encrypted with a customer managed key. This ensures that the data is protected and meets compliance requirements. Inaccessible key: The company cannot access the key used to encrypt the original database in us-west-1. This means that using the same key for encryption in the us-west-1 Region is not possible. Create a new customer managed key in us-west-1: To ensure proper encryption of the snapshot in the us-west-1 Region, the company should create a new customer managed key specifically for this region. This new key will be used to encrypt the snapshot, providing the necessary encryption and compliance requirements.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel