Exam AWS Certified Data Analytics - Specialty topic 1 question 12 discussion

Answer should be A and C. Using HSM you have to create a new cluster (that eliminates B). See link below, it clearly states "You can't enable hardware security module (HSM) encryption by modifying the cluster. Instead, create a new, HSM-encrypted cluster and migrate your data to the new cluster" https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html In the same link it says you have create certificates. My thinking that its not D, its because it can be already configured when you are settinp up the cluster. (option C)

Answer: A, C When you use an HSM, you must use client and server certificates to configure a trusted connection between Amazon Redshift and your HSM. Reference link: https://docs.amazonaws.cn/en_us/redshift/latest/mgmt/security-key-management.html To migrate an unencrypted cluster to a cluster encrypted using a hardware security module (HSM), you create a new encrypted cluster and move your data to the new cluster. Reference link: https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html

Bing is answering C and D. By this explanation Option A suggests setting up a trusted connection with HSM using a client and server certificate with automatic key rotation. While this is a valid method for some systems, it’s not directly applicable to Amazon Redshift. Redshift doesn’t support this method for enabling encryption. Option C is correct because Amazon Redshift doesn’t allow you to modify an existing cluster to use HSM encryption. You would need to create a new HSM-encrypted Redshift cluster and migrate the data to it. Option D is also correct. Once the new HSM-encrypted Redshift cluster is set up, you can enable HSM with key rotation through the AWS CLI.

It's AC

AC: I passed the test

Correct answer is A & C as Redshift does not allow encrypting existing cluster using HSM and there needs to be trust connection established between Redshift and HSM. Options B & D are wrong as You can enable encryption when you launch your cluster, or you can modify an unencrypted cluster to use AWS Key Management Service (AWS KMS) encryption. Option E is wrong as it is not valid.

Answer-A,C

Answer is A & C

Answer-A,C

A and C

A, C is correct but why Redshift with HSM is asked in 2020? Redshift only works with HSM Classic and new customer can't create HSM classic anymore.

Answer: A,C (Similar question is there in Jon Bonso's practice exam).

B = wrong, to use HSM you have to create new clusters. D = wrong, key rotation is not done by HSM, but Redshift. E = wrong, nonsense. This is a textbook question. https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html#migrating-to-an-encrypted-cluster

the answers are A and C.

Definitely A and C. First answer is from the link provided by testtaker3434, and 2nd answer from the following link https://docs.aws.amazon.com/redshift/latest/mgmt/security-key-management.html

A, C is the right answer

A and C are correct