ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 603 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 603
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A financial services company logs personally identifiable information to its application logs stored in Amazon S3. Due to regulatory compliance requirements, the log files must be encrypted at rest. The security team has mandated that the company's on-premises hardware security modules (HSMs) be used to generate the
CMK material.
Which steps should the solutions architect take to meet these requirements?

  • A. Create an AWS CloudHSM cluster. Create a new CMK in AWS KMS using AWS_CloudHSM as the source for the key material and an origin of AWS_CLOUDHSM. Enable automatic key rotation on the CMK with a duration of 1 year. Configure a bucket policy on the logging bucket that disallows uploads of unencrypted data and requires that the encryption source be AWS KMS.
  • B. Provision an AWS Direct Connect connection, ensuring there is no overlap of the RFC 1918 address space between on-premises hardware and the VPCs. Configure an AWS bucket policy on the logging bucket that requires all objects to be encrypted. Configure the logging application to query the on-premises HSMs from the AWS environment for the encryption key material, and create a unique CMK for each logging event.
  • C. Create a CMK in AWS KMS with no key material and an origin of EXTERNAL. Import the key material generated from the on-premises HSMs into the CMK using the public key and import token provided by AWS. Configure a bucket policy on the logging bucket that disallows uploads of non-encrypted data and requires that the encryption source be AWS KMS.
  • D. Create a new CMK in AWS KMS with AWS-provided key material and an origin of AWS_KMS. Disable this CMK, and overwrite the key material with the key material from the on-premises HSM using the public key and import token provided by AWS. Re-enable the CMK. Enable automatic key rotation on the CMK with a duration of 1 year. Configure a bucket policy on the logging bucket that disallows uploads of non-encrypted data and requires that the encryption source be AWS KMS.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Nemer at Aug. 12, 2020, 4:39 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Nemer
Highly Voted 3 years, 8 months ago
C. Create CMK with origin EXTERNAL. https://aws.amazon.com/blogs/security/how-to-byok-bring-your-own-key-to-aws-kms-for-less-than-15-00-a-year-using-aws-cloudhsm/
upvoted 21 times
...
Ebi
Highly Voted 3 years, 7 months ago
C is my choice
upvoted 6 times
...
et22s
Most Recent 2 years, 6 months ago
Selected Answer: C
C: KMS keys designed for imported key material have an origin value of EXTERNAL that cannot be changed. You cannot convert a KMS key for imported key material to use key material from any other source, including AWS KMS. https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-considerations
upvoted 1 times
...
pankajrawat
3 years, 1 month ago
Selected Answer: C
C is the correct answer
upvoted 1 times
...
AzureDP900
3 years, 6 months ago
I will go with C
upvoted 1 times
...
cldy
3 years, 6 months ago
C. Create a CMK in AWS KMS with no key material and an origin of EXTERNAL. Import the key material generated from the on-premises HSMs into the CMK using the public key and import token provided by AWS. Configure a bucket policy on the logging bucket that disallows uploads of non-encrypted data and requires that the encryption source be AWS KMS.
upvoted 1 times
...
AzureDP900
3 years, 6 months ago
C is correct answer !
upvoted 1 times
...
backfringe
3 years, 6 months ago
I go with C
upvoted 1 times
...
acloudguru
3 years, 6 months ago
Selected Answer: C
C,https://aws.amazon.com/blogs/security/how-to-byok-bring-your-own-key-to-aws-kms-for-less-than-15-00-a-year-using-aws-cloudhsm/
upvoted 2 times
...
tgv
3 years, 7 months ago
CCC ---
upvoted 1 times
...
blackgamer
3 years, 7 months ago
C is the answer.
upvoted 1 times
...
WhyIronMan
3 years, 7 months ago
I'll go with C
upvoted 1 times
...
Waiweng
3 years, 7 months ago
it;s C
upvoted 3 times
...
kopper2019
3 years, 7 months ago
it's C Step 1: Create the CMK with no key material associated Begin by creating a customer master key (CMK) in AWS KMS that has no key material associated. The CLI command to create the CMK is as follows: $ aws kms create-key --origin EXTERNAL --region us-east-1 If successful, you’ll see an output on the CLI similar to below. The KeyState will be PendingImport and the Origin will be EXTERNAL.
upvoted 5 times
...
T14102020
3 years, 8 months ago
Correct is C. Create CMK with origin EXTERNAL.
upvoted 1 times
...
jackdryan
3 years, 8 months ago
I'll go with C
upvoted 4 times
...
CYL
3 years, 8 months ago
C. https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel