ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 108 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 108
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext.
Which action would provide the required functionality?

  • A. Pass the key alias to AWS KMS when calling Encrypt and Decrypt API actions.
  • B. Use IAM policies to restrict access to Encrypt and Decrypt API actions.
  • C. Use kms:EncryptionContext as a condition when defining IAM policies for the CMK.
  • D. Use key policies to restrict access to the appropriate IAM groups.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by joeboy at March 13, 2020, 9:24 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
joeboy
Highly Voted 3 years, 9 months ago
Answer: C https://aws.amazon.com/blogs/security/how-to-protect-the-integrity-of-your-encrypted-data-by-using-aws-key-management-service-and-encryptioncontext/
upvoted 22 times
...
gfhbox0083
Highly Voted 3 years, 8 months ago
Answer is C, One of the most important and critical concepts in AWS Key Management Service (KMS) for advanced and secure data usage is EncryptionContext. Using EncryptionContext properly can help significantly improve the security of your applications. EncryptionContext is a key-value map (both strings) that is provided to KMS with each encryption and decryption request. EncryptionContext provides three benefits: Additional authenticated data (AAD), Audit trail, Authorization context ...
upvoted 12 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: C
AAD > EncryptionContext. Correct answer is C
upvoted 1 times
...
addy_prepare
1 year, 10 months ago
Selected Answer: C
C - is correct https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
upvoted 1 times
...
soyyodario
2 years ago
Answer: C https://docs.aws.amazon.com/crypto/latest/userguide/cryptography-concepts.html#term-aad additional authenticated data (AAD) Nonsecret data that is provided to encryption and decryption operations to add an additional integrity and authenticity check on the encrypted data. Typically, the decrypt operation fails if the AAD provided to the encrypt operation does not match the AAD provided to the decrypt operation. AWS Key Management Service (AWS KMS) and the AWS Encryption SDK both support AAD by using an encryption context.
upvoted 1 times
...
ITGURU51
2 years, 1 month ago
EncryptionContext is KMS’s implementation of AAD. I highly recommend that you use it to ensure that unencrypted data related to the ciphertext is protected against tampering. C
upvoted 1 times
...
Nikhil0222
2 years, 2 months ago
C. Use kms:EncryptionContext as a condition when defining IAM policies for the CMK. kms:EncryptionContext can be used to ensure that the data being encrypted is tagged with a specific context, such as a resource or user ID. This tag can then be used as a condition in the IAM policy for the CMK, allowing the Security Engineer to control which IAM users and roles are able to use the CMK to encrypt or decrypt data based on the context of the data being processed.
upvoted 1 times
...
ITGURU51
2 years, 3 months ago
At its core, using authenticated encryption prevents tampering with ciphertext itself. Authenticated encryption is built into KMS, so if you can successfully decrypt a message using KMS, an authorized user must have created that message. You can almost think of this as providing a “signature” over the ciphertext.
upvoted 1 times
...
Sarksa
2 years, 11 months ago
Selected Answer: C
kms:EncryptionContext helps against tampering of the cypher text.
upvoted 3 times
...
TigerInTheCloud
3 years, 2 months ago
Selected Answer: C
additional authenticated data (AAD) => kms:EncryptionContext
upvoted 3 times
...
Radhaghosh
3 years, 5 months ago
Answer C --> Encryption Context
upvoted 1 times
...
Larsson
3 years, 8 months ago
C it is. This question is commonly available from other sources as well.
upvoted 2 times
...
awssecuritynewbie
3 years, 8 months ago
The answer is C the answer to the question says D but then points to a document that talks about AAD and is encryption context. Hope this helps guys encryption context A type of additional authenticated data (AAD) (p. 2). It typically consists of nonsecret, arbitrary, name–value pairs. In most cases, you can provide an encryption context when you encrypt data. The same encryption context must be provided to decrypt the data. The encryption context is usually optional but recommended. The term encryption context has different meanings in various AWS services and tools. This can be confusing, so be sure to understand how your tool or service interprets this term.
upvoted 4 times
...
wzlinux
3 years, 8 months ago
C is correct
upvoted 1 times
...
testing4321
3 years, 8 months ago
Ans is C
upvoted 1 times
...
RaySmith
3 years, 9 months ago
C for me
upvoted 1 times
...
luis12345
3 years, 9 months ago
Answer is C
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel