Exam AWS Certified Solutions Architect - Professional topic 1 question 568 discussion

A. KEYS not controlled by the firm(AWS KMS). KO B. KEYS not controlled by the firm(AWS KMS) and access through internet. KO C. KEYS controlled by the firm (CloudHSM) and access to AWS public resources trhough internal VPC endpoints. OK. D. This restricts that financial service users can access just to this bucket trhough the vpc link, does not prevent anybody else to read the bucket. KO E. This will enforce the access to the bucket from the financial users vpc. OK. Then CE

A & E. VPC endpoints and bucket policies...without removing the existing PutObject permissions for the users who are uploading. https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/

keys controlled by the firm doesn't mean CloudHSM. If there is no specific requirement, always CMK. So A is correct. E over D is obvious. AAAA EEEE

I would go with C and E Reason for C: Encryption in transit is required not encryption at rest https://docs.aws.amazon.com/cloudhsm/latest/userguide/data-protection.html Application connects to CloudHSM using interface endpoint and S3 with gateway endpoint Reason for E: Gateway endpoint need bucket policy to restrict from VPCE Reason for E:

vote AE

A. Launch the Amazon EMR cluster in a private subnet configured to use an AWS KMS CMK for at-rest encryption. Configure a gateway VPC endpoint for Amazon S3 and an interface VPC endpoint for AWS KMS. E. Configure the S3 bucket policies to permit access using an aws:sourceVpce condition to match the S3 endpoint ID.

A,E is correct

Perhaps the issue is wrong. I found that there were the following releases for CloudHSM: https://aws.amazon.com/about-aws/whats-new/2021/02/introducing-amazon-vpc-endpoints-aws-cloudhsm/?nc1=h_ls In other words, until February of this year, it was not possible to create a VPC endpoint in CloudHSM. Therefore A & E is correct.

SSE-S3: AWS manages both data key and master key SSE-KMS: AWS manages data key and you manage master key SSE-C: You manage both data key and master key See this doc for more details: http://amzn.to/2iVsGvM A ) Server-Side Encryption SSE-S3 (AWS-Managed Keys) => When the requirement is to keep the encryption work simple and minimise the maintenance overhead then use SSE-S3. SSE-KMS (AWS KMS Keys) => When the requirement is to maintain a security audit trail then use SSE-KMS Keys. SSE-C (Customer-Provided Keys) => When end-to-end encryption is not required and the client wants full control of his/her security keys, then use SSE-C. B) Client-Side Encryption AWS KMS-managed, customer master key => When the requirement is to maintain end-to-end encryption plus a security audit trail, then use AWS KMS Keys. Client Managed Master Key => When the requirement is to maintain end-to-end encryption but the client wants full control of his/her security keys, then use Client Managed Master Key.

A and E

I'll go with A,E

A E While C looks like a close one it is not a complete one, the cluster instances would need HSM client software to make it work which is missing from the answer. On the otherhand A just meets the requirements. https://aws.amazon.com/cloudhsm/features/

it's A ,E

For those who are voting for C, Doubt that EMR supports CloudHSM based encryption option. https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-data-encryption-options.html

Guys inpindado is correct. I have confirmed with my materials from Neal Davis. The key requirements is to keep environment isolated from the Internet and with that we could use AWS CLOUDHSM and VPC condition should match S3 endpoints ID.

A and E for me. CMK is managed by firm and E is no question.

going for A,E