Exam AWS Certified Data Analytics - Specialty topic 1 question 12 discussion

Exam question from Amazon's AWS Certified Data Analytics - Specialty

Question #: 12
Topic #: 1

[All AWS Certified Data Analytics - Specialty Questions]

A banking company is currently using an Amazon Redshift cluster with dense storage (DS) nodes to store sensitive data. An audit found that the cluster is unencrypted. Compliance requirements state that a database with sensitive data must be encrypted through a hardware security module (HSM) with automated key rotation.
Which combination of steps is required to achieve compliance? (Choose two.)

A. Set up a trusted connection with HSM using a client and server certificate with automatic key rotation.
B. Modify the cluster with an HSM encryption option and automatic key rotation.
C. Create a new HSM-encrypted Amazon Redshift cluster and migrate the data to the new cluster.
D. Enable HSM with key rotation through the AWS CLI.
E. Enable Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) encryption in the HSM.

Show Suggested Answer

Suggested Answer: AC 🗳️

by testtaker3434 at Aug. 9, 2020, 1:55 p.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

testtaker3434

Highly Voted 3 years, 10 months ago

Answer should be A and C. Using HSM you have to create a new cluster (that eliminates B). See link below, it clearly states "You can't enable hardware security module (HSM) encryption by modifying the cluster. Instead, create a new, HSM-encrypted cluster and migrate your data to the new cluster" https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html In the same link it says you have create certificates. My thinking that its not D, its because it can be already configured when you are settinp up the cluster. (option C)

upvoted 48 times

GeeBeeEl

3 years, 9 months ago

I dont agree with you on c...... that site you referenced says "When you modify your cluster to enable KMS encryption, Amazon Redshift automatically migrates your data to a new encrypted cluster. " also see https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html

upvoted 2 times

GeeBeeEl

3 years, 9 months ago

I see now why C is correct --- "To migrate an unencrypted cluster to a cluster encrypted using a hardware security module (HSM), you create a new encrypted cluster and move your data to the new cluster. So I agree C is correct

upvoted 3 times

...

Nicki1013

Highly Voted 3 years, 10 months ago

Answer: A, C When you use an HSM, you must use client and server certificates to configure a trusted connection between Amazon Redshift and your HSM. Reference link: https://docs.amazonaws.cn/en_us/redshift/latest/mgmt/security-key-management.html To migrate an unencrypted cluster to a cluster encrypted using a hardware security module (HSM), you create a new encrypted cluster and move your data to the new cluster. Reference link: https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html

upvoted 15 times

...

tsangckl

Most Recent 1 year, 4 months ago

Bing is answering C and D. By this explanation Option A suggests setting up a trusted connection with HSM using a client and server certificate with automatic key rotation. While this is a valid method for some systems, it’s not directly applicable to Amazon Redshift. Redshift doesn’t support this method for enabling encryption. Option C is correct because Amazon Redshift doesn’t allow you to modify an existing cluster to use HSM encryption. You would need to create a new HSM-encrypted Redshift cluster and migrate the data to it. Option D is also correct. Once the new HSM-encrypted Redshift cluster is set up, you can enable HSM with key rotation through the AWS CLI.

upvoted 1 times

...

NikkyDicky

2 years ago

Selected Answer: AC

It's AC

upvoted 1 times

...