ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 250 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02
Question #: 250
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A company wants to share forensic accounting data that is stored in an Amazon RDS DB instance with an external auditor. The auditor has its own AWS account and requires its own copy of the database.
How should the company securely share the database with the auditor?

  • A. Create a read replica of the database and configure IAM standard database authentication to grant the auditor access.
  • B. Copy a snapshot of the database to Amazon S3 and assign an IAM role to the auditor to grant access to the object in that bucket.
  • C. Export the database contents to text files, store the files in Amazon S3, and create a new IAM user for the auditor with access to that bucket.
  • D. Make an encrypted snapshot of the database, share the snapshot, and allow access to the AWS Key Management Service (AWS KMS) encryption key.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by lunamycat at Nov. 2, 2020, 12:21 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
yogen
Highly Voted 3 years, 7 months ago
I cleared the exam today on 26-Jan, This question was there in the exam, I marked D i.e. Share the encrypted snapshot and give access on KMS
upvoted 54 times
thoughbore
3 years, 6 months ago
How do you encrypt snapshot if the original database is not encrypted ?
upvoted 2 times
viva64
3 years, 6 months ago
does the question say DB in not encrypted. stop misleading please !
upvoted 2 times
SDikeman62
3 years, 1 month ago
If the original db is encrypted, it should just say take a snapshot. There is no such thing as take encrypted snapshot.
upvoted 1 times
...
...
...
Rajjay
3 years, 5 months ago
Congratulations for passing the exam Question: Option D states - "share the snapshot" - How? I Think the only way to do this securely is via IAM role. The auditor has an AWS service account and s3 is one of the oldest service.
upvoted 3 times
...
crazyaboutazure
3 years, 6 months ago
Should be D as accountant requires its own copy and should be shared securely so encryption is required and AWS key can be used to access. DB Authentication wont work here as authentication valid for MYSQL or PostgreSQL which is not mentioned in the questions
upvoted 5 times
...
EmeraldTech
3 years, 4 months ago
I agree with you. The answer is D since the Auditor needs a copy and already has its own AWS account, thus no need for an IAM role.
upvoted 2 times
...
Load full discussion...
...
sctmp
Highly Voted 3 years, 7 months ago
A. The question says the auditor needs its own copy of the database. A read replica won't do this request. B. We can't have direct access to the bucket in S3. C. Sounds a lot of work, I doubt, someone is going to be auditing from text files. D. Sounds reasonable. Making an encrypted snapshot, the auditor, will have it's own copy of the database.
upvoted 34 times
aguy9
3 years, 7 months ago
Yes agreed, D is the only reasonable answer.
upvoted 2 times
...
Kampton
3 years, 7 months ago
Sounds very reasonable, give him an encrypted snapshot to take it home, so that he can have his own copy that he can ....
upvoted 1 times
...
noahsark
3 years, 7 months ago
agree with D. possibly common sense explanation is (A) read-only database may be changed from source. (D) snapshot is permanent :)
upvoted 2 times
...
Kopa
3 years, 6 months ago
it doesn't look so safe to give a copy of your db to auditor. Maybe A makes more logic, only read access.
upvoted 6 times
...
Load full discussion...
...
Uzi_m
Most Recent 2 years, 2 months ago
The correct Option is D.
upvoted 1 times
...
Root_Access
2 years, 8 months ago
Selected Answer: D
Should be D: You can share DB snapshots that have been encrypted "at rest" using the AES-256 encryption algorithm, as described in Encrypting Amazon RDS resources. To do this, take the following steps: Share the AWS KMS key that was used to encrypt the snapshot with any accounts that you want to be able to access the snapshot. You can share KMS keys with another AWS account by adding the other account to the KMS key policy. For details on updating a key policy, see Key policies in the AWS KMS Developer Guide. For an example of creating a key policy, see Allowing access to an AWS KMS key later in this topic. Use the AWS Management Console, AWS CLI, or Amazon RDS API to share the encrypted snapshot with the other accounts.
upvoted 1 times
...
cloud_collector
2 years, 9 months ago
D is suitable for the "secure manner" in question. "Sharing encrypted snapshots" and "Allowing access to an AWS KMS key" https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html
upvoted 1 times
...
gpikagm
2 years, 11 months ago
Sharing encrypted snapshots You can share DB snapshots that have been encrypted "at rest" using the AES-256 encryption algorithm, as described in Encrypting Amazon RDS resources. To do this, take the following steps: Share the AWS KMS key that was used to encrypt the snapshot with any accounts that you want to be able to access the snapshot. D You can share KMS keys with another AWS account by adding the other account to the KMS key policy.
upvoted 3 times
...
lfsn
3 years ago
Selected Answer: D
Question is How should the company "securely" share the database with the auditor?. Sharing unencrypted copy is not secure at all!
upvoted 2 times
...
klapek
3 years ago
Selected Answer: B
"allow access to the AWS Key Management Service (AWS KMS) encryption key." - not sure if this is best practice.
upvoted 2 times
...
SuhasH
3 years, 3 months ago
Selected Answer: D
Own Copy Of Database AWS Account Secure
upvoted 2 times
...
weilun_tann
3 years, 4 months ago
- A is wrong. Auditor needs a static copy of the DB - B is wrong. It is less secure than D because the snapshot is unencrypted - C is wrong. It is less secure than D because the snapshot is unencrypted - D is correct. Sharing of KMS CMK can be done by attaching an IAM policy on the auditor's account that grants access to the key - https://aws.amazon.com/premiumsupport/knowledge-center/share-kms-account/
upvoted 1 times
...
Sharan_25_v
3 years, 4 months ago
Confused between B and D as both matches but D although is more secure but can we share the KMS keys with another AWS account?
upvoted 1 times
...
RidzV
3 years, 5 months ago
was confused between B & D but upon reading again, question says "The auditor has its own Amazon Web Services (AWS) account and demands a copy of the database.", B talks about granting access to the object so D seems to be the right option.
upvoted 1 times
...
omunoz
3 years, 5 months ago
Usually an Auditor only performs data review for forensic analysis, not need to modify the data, so not sure why to give him an encrypted snapshot of the DB... a read replica can comply with the requirement.. and it would be secure since the access would be done by IAM permissions to his AWS account...
upvoted 2 times
...
anas23
3 years, 5 months ago
https://www.youtube.com/watch?v=gFkguN0y_ho I guess D
upvoted 1 times
...
ecastilla
3 years, 6 months ago
Key points are: * auditor has its own AWS account and requires its own copy of the database * securely share the database with the auditor A is out because the auditor is not using its own copy B matches both requirements C is not direct and the auditor will not use its own account D Using B you don't need to encrypt the snapshot and it's less specific than B (how to share the snapshot ? how to give access to KMS in the company's account ?) I go with B
upvoted 4 times
...
kenzoxxlarge
3 years, 6 months ago
Correct Answer : D Create an encrypted snapshot of the database, share the snapshot, and allow access to the AWS Key Management Service (AWS KMS) encryption key You can share the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to encrypt the snapshot with any accounts that you want to be able to access the snapshot. You can share AWS KMS CMKs with another AWS account by adding the other account to the AWS KMS key policy. Making an encrypted snapshot of the database will give the auditor a copy of the database, as required for the given use case.
upvoted 1 times
swadeey
3 years, 6 months ago
Might sound correct in this question, but in real situation you won't give a copy of your database even encrypted (with Keys) control is with Read replica as you have control to delete it, pull it off and unshare whenever you can. But once you gave a snapshot the data is with him forever and he can re-use it.
upvoted 1 times
...
...
Sakthivallaban
3 years, 6 months ago
https://aws.amazon.com/premiumsupport/knowledge-center/encrypt-rds-snapshots/
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago