Exam AWS Certified Data Analytics - Specialty topic 1 question 41 discussion

Answer is B – C and D are cancelled because – EMR is not needed to process DynamoDB streams. Lambda function would be good enough. Option A is wrong because it suggests decrypting the data and storing in S3 which is not good since it contains sensitive fields. Option B is correct because Redshift will only decrypt the data while reading it.

Correct: A C and D can be eliminated because this is a shared Redshift cluster, so you need to create a table accessible only to the finance team. B is wrong as the application uses DynamoDB client-side encryption (not S3 client-side encryption), which means it will not automatically decrypt by AWS, and needs manual decryption before sending to S3 and then COPY’d into Redshift. Even if you want to use COPY ENCRYPTED to copy client-side encrypted S3 files, you need to specify credentials not IAM roles. REPORT THIS AD REPORT THIS AD However, DynamoDB stream only does new data, so existing data won’t be processed, this is not a perfect answer. https://docs.aws.amazon.com/redshift/latest/dg/c_loading-encrypted-files.html

<a href=“https://striveenterprise.com/digital-marketing-tampa-fl/”>Digital marketing</a> isn't just about selling a product; it's about crafting an immersive brand experience. It's the fusion of compelling storytelling, cutting-edge technology, and a deep understanding of consumer psychology.

When you load an encrypted file from Amazon S3 to Redshift, the encryption involved is neither purely client-side nor server-side using AWS KMS. It's a hybrid approach Decryption during Load: When you use the COPY command in Redshift to load the data, Redshift retrieves the data key from KMS using its IAM role or credentials. This retrieval can be considered a server-side operation from Redshift's perspective.

Lambda function processes the DynamoDB stream, the sensitive data encrypted with KMS keys can be decrypted securely using the same KMS key. Storing the decrypted data in a restricted S3 bucket accessible only to the finance team ensures that sensitive information is not exposed to unauthorised users. Creating a dedicated finance table in Redshift is accessible only to the finance team ensures that the aggregated sensitive data remains confidential and is not accessible by others. The COPY command to load data from the restricted S3 bucket into the finance table in Redshift is efficient. B- loading encrypted data directly into Redshift and decrypting it during the COPY process is not directly supported as part of the COPY command. C, D - involve using EMR and Apache Hive, which could add complexity and operational overhead to the data processing workflow and decryption needs to occur before the data can be processed by EMR.

Will go for B

B is wrong because the data is encrypted before loading into DynamoDB which implies that it is client side encryption and Redshift doesn't support the client side encryption - https://docs.aws.amazon.com/redshift/latest/dg/c_loading-encrypted-files.html

B. A and B are similar but B is more secure option

B is incorrect, this option omits the step of decrypting the data before saving, I think A is the correct option.

The COPY command doesn't support the following types of Amazon S3 encryption: Answer A Server-side encryption with customer-provided keys (SSE-C) Client-side encryption using an AWS KMS key Client-side encryption using a customer-provided asymmetric root key

A is the answer

A: I passed the test

Answer is B as lambda can analyze the data in dynamo db and is save to restricted bucket which cannot be accessed without desired permission. Also to copy from s3 bucket to redshift it requires IAM role.

https://docs.aws.amazon.com/redshift/latest/dg/c_loading-encrypted-files.html

Option B is not the best solution because it does not address the need to decrypt the sensitive data before loading it into Amazon Redshift. The finance team needs to be able to aggregate the values within the sensitive fields, which would not be possible if the data is not decrypted before loading it into Redshift. Option A solves this problem by creating a Lambda function that processes the DynamoDB stream and decrypts the sensitive data using the same KMS key used for encryption before loading it into Redshift. The data is also saved to a restricted S3 bucket to ensure that only the finance team has access to it.

the decrypting is automatically done by AWS as the data is moved from Dynamo to S3. Before it's written to S3 it's reencyrpted using SSE. Writing to S3 and leaving it decrypting (as Option A suggests) would not be a secure move. Hence B should be the right answer.

Ans- B