ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Data Analytics - Specialty All Questions

View all questions & answers for the AWS Certified Data Analytics - Specialty exam
Go to Exam

Exam AWS Certified Data Analytics - Specialty topic 1 question 69 discussion

Exam question from Amazon's AWS Certified Data Analytics - Specialty
Question #: 69
Topic #: 1
[All AWS Certified Data Analytics - Specialty Questions]

A company uses the Amazon Kinesis SDK to write data to Kinesis Data Streams. Compliance requirements state that the data must be encrypted at rest using a key that can be rotated. The company wants to meet this encryption requirement with minimal coding effort.
How can these requirements be met?

  • A. Create a customer master key (CMK) in AWS KMS. Assign the CMK an alias. Use the AWS Encryption SDK, providing it with the key alias to encrypt and decrypt the data.
  • B. Create a customer master key (CMK) in AWS KMS. Assign the CMK an alias. Enable server-side encryption on the Kinesis data stream using the CMK alias as the KMS master key.
  • C. Create a customer master key (CMK) in AWS KMS. Create an AWS Lambda function to encrypt and decrypt the data. Set the KMS key ID in the function's environment variables.
  • D. Enable server-side encryption on the Kinesis data stream using the default KMS key for Kinesis Data Streams.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by testtaker3434 at Aug. 28, 2020, 1:01 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
KoMo
Highly Voted 3 years, 10 months ago
B. https://docs.aws.amazon.com/streams/latest/dev/what-is-sse.html
upvoted 20 times
...
cloudlearnerhere
Highly Voted 2 years, 9 months ago
Selected Answer: B
Correct answer is B as Kinesis Data Streams supports data at rest encryption using Server-Side encryption. Data is encrypted before persisting and decrypted before being read by the consumers and requires no changes to producers and consumers. Options A & C are wrong as it would require coding effort. Option D is wrong as the default key cannot be rotated.
upvoted 6 times
...
Debi_mishra
Most Recent 2 years, 2 months ago
B is correct. D is wrong - AWS Managed keys are rotated but as per AWS not as per customer. Here customer want rotation capability and they might want to do it number of times in a year.
upvoted 1 times
...
pk349
2 years, 3 months ago
B: I passed the test
upvoted 1 times
...
rocky48
3 years ago
Selected Answer: B
Selected Answer: B
upvoted 1 times
...
Ramshizzle
3 years, 1 month ago
Selected Answer: B
It should be B. B describes the method to encrypt your data at rest inside your Kinesis Data Streams. Option D is the only valid alternative given the constraints, but there is no valid method to rotate this key yourself. So I would argue this key is not rotatable.
upvoted 1 times
...
MWL
3 years, 3 months ago
Selected Answer: B
Vote for B. I think "rotatable key" means you can rotate manually, it should be CMK, not AWS managed key. D said "using the default KMS key", it is saying to use AWS managed key. So it's not right.
upvoted 2 times
...
Teraxs
3 years, 3 months ago
Selected Answer: D
I'd say D: A and C are out because they involve more coding. B would work, but key rotation of CMK is disabled by default and the answer did not say to enable it (but mentions creation and alias, so that was likely left out on purpose) D works, is the simplest and the key is rotated by default (no every year, used to be every 3 years) Paragraph "Customer managaged keys" in https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-aws-owned-keys
upvoted 2 times
MWL
3 years, 3 months ago
I think "rotatable key" means you can rotate manually, it should be CMK, not AWS managed key.
upvoted 2 times
...
...
jrheen
3 years, 3 months ago
Answer - B
upvoted 1 times
...
aws2019
3 years, 8 months ago
B is the right answer
upvoted 1 times
...
lostsoul07
3 years, 9 months ago
B is the right answer
upvoted 2 times
...
jay1ram2
3 years, 9 months ago
The Answer is B. You cannot rotate "AWS Managed CMK" i.e. Default keys. It is automatically rotated every 3 years. https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
upvoted 3 times
...
Subho_in
3 years, 9 months ago
"key that can be rotated" it is talking about CMK. B must be the answer.
upvoted 2 times
...
gtourkas
3 years, 9 months ago
Just checked the Kinesis console. You can select either the default or the CMK for encryption at rest. Since rotation can be set for the CMK, B is the answer.
upvoted 3 times
...
Shivibaheti
3 years, 9 months ago
D. the FAQ's https://aws.amazon.com/kinesis/data-streams/faqs/#kinesis-encryption question : "What is server-side encryption" It mentions "Server-side encryption for Kinesis Data Streams automatically encrypts data using a user specified AWS KMS master key (CMK) "
upvoted 2 times
sly_tail
2 years, 4 months ago
No, there is no such thing as default key for KDS. It's B
upvoted 1 times
...
...
Draco31
3 years, 9 months ago
B. it's written here: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html You cannot rotate key that you did not create
upvoted 3 times
...
Sent1
3 years, 10 months ago
It should be B. Here is the link, https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel