ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 178 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02
Question #: 178
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A company has recently updated its internal security standards. The company must now ensure all Amazon S3 buckets and Amazon Elastic Block Store (Amazon
EBS) volumes are encrypted with keys created and periodically rotated by internal security specialists. The company is looking for a native, software-based AWS service to accomplish this goal.
What should a solutions architect recommend as a solution?

  • A. Use AWS Secrets Manager with customer master keys (CMKs) to store master key material and apply a routine to create a new CMK periodically and replace it in AWS Secrets Manager.
  • B. Use AWS Key Management Service (AWS KMS) with customer master keys (CMKs) to store master key material and apply a routine to re-create a new key periodically and replace it in AWS KMS.
  • C. Use an AWS CloudHSM cluster with customer master keys (CMKs) to store master key material and apply a routine to re-create a new key periodically and replace it in the CloudHSM cluster nodes.
  • D. Use AWS Systems Manager Parameter Store with customer master keys (CMKs) to store master key material and apply a routine to re-create a new key periodically and replace it in the Parameter Store.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by AjNapa at Aug. 9, 2020, 4:11 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
eug45
Highly Voted 3 years, 11 months ago
The answer is B Store the credentials in AWS Key Management Service, it is used for creating and managing encryption keys
upvoted 67 times
...
Paitan
Highly Voted 3 years, 11 months ago
Looking native, software-based AWS service. So it has to be AWS KMS.
upvoted 35 times
Paitan
3 years, 11 months ago
I appeared for the exam on 12-Aug and passed. The exact question appeared in the exam and I answered B but later got confused and changed to C during review. Still not sure which is the right answer :-)
upvoted 6 times
sonni346
3 years, 11 months ago
CloudHSM is hardware-based so I don't think C is the right answer. https://aws.amazon.com/cloudhsm/ "AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud."
upvoted 9 times
...
studybuddy12
3 years, 10 months ago
i think it is B ... you can enable automatic key rotation with CMK in KMS "Automatic key rotation is disabled by default on customer managed CMKs. When you enable (or re-enable) key rotation, AWS KMS automatically rotates the CMK 365 days after the enable date and every 365 days thereafter." https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
upvoted 10 times
...
...
...
mfaktas
Most Recent 1 year, 9 months ago
Selected Answer: B
B. Use AWS Key Management Service (AWS KMS) with customer master keys (CMKs) to store master key material and apply a routine to re-create a new key periodically and replace it in AWS KMS. AWS Key Management Service (AWS KMS) is a native, software-based service that allows you to create and control the encryption keys used to encrypt your data. You can use customer master keys (CMKs) in AWS KMS for encryption of Amazon S3 buckets and Amazon EBS volumes. By periodically rotating the keys, you enhance security. AWS KMS provides a convenient way to manage key lifecycle, including key rotation, without the need for manual intervention. It integrates well with other AWS services, making it a suitable choice for scenarios like the one described.
upvoted 1 times
...
BABU97
2 years, 5 months ago
CHATGPT RESONATES WITH B By using AWS KMS with customer master keys (CMKs), the company can ensure that all Amazon S3 buckets and Amazon Elastic Block Store (Amazon EBS) volumes are encrypted with keys created and periodically rotated by internal security specialists. The CMKs can be set to expire after a certain period, at which point a new CMK can be created and applied. Option A is not the best solution as AWS Secrets Manager is designed to securely store secrets such as database credentials, API keys, and other sensitive information, but not for storing encryption keys. Option C is not ideal for this scenario as AWS CloudHSM is a hardware security module that provides secure key storage and cryptographic operations. While it is highly secure, it is also more complex to set up and manage. Option D is also not the best solution as AWS Systems Manager Parameter Store is designed for storing and managing configuration data, but not for storing encryption keys.
upvoted 1 times
...
Sachin032
2 years, 6 months ago
B is the right answer with KMS and CMS , key can rotated and managed by customer
upvoted 1 times
...
Chris22usa
2 years, 10 months ago
A is right . Secret Manager can use rotating original keys like A, B,C,D..., KMS use rotating encryption keys based on original material. For instance , make A1,A2,A3,A4.. based on A by envelop encryption.This topic is about rotating like A,B,C,D... these keys is provided by specialists . So just use secret manager
upvoted 1 times
Rupak10
2 years, 6 months ago
Secret Manager never keep the encryption key .They only store password.
upvoted 1 times
...
...
Chris22usa
2 years, 10 months ago
A is right
upvoted 1 times
...
Saja_24
2 years, 12 months ago
Selected Answer: B
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html B
upvoted 1 times
...
cloud_collector
3 years ago
B should be right With Amazon S3 default encryption, you can set the default encryption behavior for an S3 bucket so that all new objects are encrypted when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or AWS KMS keys stored in AWS Key Management Service (AWS KMS) (SSE-KMS). https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html Amazon EBS offers a straight-forward encryption solution of data at rest , data in transit, and all volume backups. Amazon EBS encryption is supported by all volume types, and includes built-in key management infrastructure without having you to build, maintain, and secure your own keys. We use AWS Key Management Service (AWS KMS) envelope encryption with customer master keys (CMK) for your encrypted volumes and snapshots. https://aws.amazon.com/blogs/compute/must-know-best-practices-for-amazon-ebs-encryption/
upvoted 1 times
...
fsanaja1
3 years, 4 months ago
Selected Answer: A
A, CMS keys will be managed from costumer
upvoted 1 times
...
SmartDude
3 years, 5 months ago
Selected Answer: B
Store the credentials in AWS Key Management Service, it is used for creating and managing encryption keys
upvoted 4 times
...
muhsin
3 years, 8 months ago
Ans: A Secrets Manager integrates with AWS Key Management Service (AWS KMS) to encrypt every version of every secret value with a unique data key that is protected by an AWS KMS key. This integration protects your secrets under encryption keys that never leave AWS KMS unencrypted. It also enables you to set custom permissions on the KMS key and audit the operations that generate, encrypt, and decrypt the data keys that protect your secrets.
upvoted 1 times
...
KyleZheng
3 years, 9 months ago
Seems to be A, see https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html
upvoted 2 times
omunoz
3 years, 9 months ago
The URL you have provided says "Secrets Manager integrates with AWS Key Management Service (AWS KMS) to encrypt every version of every secret value with a unique data key that is protected by an AWS KMS key. This integration protects your secrets under encryption keys that never leave AWS KMS unencrypted" . So it seems to be B the right answer.
upvoted 2 times
omunoz
3 years, 9 months ago
Ans it seems is to encrypt passwords (secrets)..
upvoted 1 times
...
...
...
woke
3 years, 9 months ago
A. Use AWS Secrets Manager with customer master keys (CMKs) to store master key material and apply a routine to create a new CMK periodically and replace it in AWS Secrets Manager.
upvoted 1 times
...
nickname20212021
3 years, 9 months ago
Passed the exam on 26th June, this question was on my test.
upvoted 2 times
cutecolt
3 years, 3 months ago
Seeing this comment in many questions and seem to be targeting for marketing.
upvoted 3 times
...
...
Always_Wanting_Stuff
3 years, 9 months ago
I agree with B. (https://aws.amazon.com/kms/features/#Secure) Encryption keys are stored in KMS, not Secrets Manager. Secrets Manager stores database credentials, API keys & OAuth tokens.
upvoted 5 times
...
Chethan77
3 years, 9 months ago
as per https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html A can also fit
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel