ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 225 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 225
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company’s engineering team is developing a new application that creates AWS Key Management Service (AWS KMS) customer managed key grants for users. Immediately after a grant is created, users must be able to use the KMS key to encrypt a 512-byte payload. During load testing, AccessDeniedException errors occur occasionally when a user first attempts to use the key to encrypt.

Which solution should the company’s security specialist recommend to eliminate these AccessDeniedException errors?

  • A. Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
  • B. Instruct the engineering team to consume a random grant token from users and to call the CreateGrant operation by passing the grant token to the operation. Instruct users to use that grant token in their call to encrypt.
  • C. Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.
  • D. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by jdx000 at Nov. 27, 2024, 10:03 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
m_ch333
3 months, 4 weeks ago
Selected Answer: D
D. The AWS KMS API follows an eventual consistency model. When you create a grant, the grant might not be effective immediately. To use the permissions in a new grant immediately, use the grant token for the grant. https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
upvoted 2 times
...
Pmktechno
4 months ago
Selected Answer: D
Grant Token Usage: When a grant is created, AWS KMS returns a grant token. This token can be used immediately to perform cryptographic operations with the KMS key, even before the grant is fully propagated. Immediate Access: By passing the grant token to the users and instructing them to use it in their encryption calls, you ensure that they can immediately use the KMS key without encountering access issues. This approach addresses the timing issue that causes the AccessDeniedException errors by allowing immediate use of the grant.
upvoted 1 times
...
IPLogic
4 months, 4 weeks ago
Selected Answer: D
The best solution to eliminate the AccessDeniedException errors is D. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.
upvoted 1 times
...
HappyG
5 months ago
Selected Answer: D
Option A acknowledges the propagation delay but relies on a suboptimal workaround (retries) instead of using the solution designed for this exact issue (grant tokens). Therefore, D is the correct answer as it resolves the problem efficiently and aligns with AWS best practices.
upvoted 1 times
...
jdx000
5 months, 1 week ago
Selected Answer: A
A because of propagation delays
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago