ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 10 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 10
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of `Sensitive,` `Confidential,` and `Restricted.` The security solution must meet all of the following requirements:
✑ Each object must be encrypted using a unique key.
✑ Items that are stored in the `Restricted` bucket require two-factor authentication for decryption.
✑ AWS KMS must automatically rotate encryption keys annually.
Which of the following meets these requirements?

  • A. Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the ג€Restrictedג€ CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.
  • B. Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.
  • C. Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.
  • D. Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the ג€Restrictedג€ key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by BillyC at Aug. 25, 2019, 5:15 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
BillyC
Highly Voted 3 years, 9 months ago
A is Correct
upvoted 28 times
cloudguy365
3 years, 9 months ago
Agree, A is the correct answer.
upvoted 9 times
...
...
INASR
Highly Voted 3 years, 9 months ago
A for sure. B & C are wrong because "grant" has nothing to do with the question. D is sure wrong since with imported keys you can not do automatic rotation as required in the question.
upvoted 23 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: A
A is correct.
upvoted 2 times
...
Benah
1 year, 9 months ago
A is correct
upvoted 1 times
...
laksmikanth836
2 years, 1 month ago
Opton C is an answer options A, B, and D do not provide a clear mechanism for encrypting each object with a unique key, which is one of the specified requirements. Only option C explicitly mentions creating DEK grants to uniquely encrypt each object within the S3 bucket, making it the correct choice that meets all the given requirements.
upvoted 1 times
Japanese1
1 year, 10 months ago
No. Even if not explicitly stated, KMS uses a unique key for each object.
upvoted 1 times
...
...
Qasimac
2 years, 8 months ago
A is correct
upvoted 1 times
...
dcasabona
2 years, 11 months ago
Selected Answer: A
I go on A as well.
upvoted 2 times
...
hk436
3 years, 8 months ago
A is my answer.
upvoted 2 times
...
sanjaym
3 years, 8 months ago
Ans: A 100%
upvoted 2 times
...
devjava
3 years, 8 months ago
Ans > A
upvoted 1 times
...
AfricanCloudGuru
3 years, 8 months ago
Ans (A) Because it meets all the requirements of the company accordingly
upvoted 2 times
...
AfricanCloudGuru
3 years, 8 months ago
Ans (A) Because it meets all the requirements of the company accordingly
upvoted 2 times
...
JackLee1
3 years, 8 months ago
Anyone knows how to do - define the MFA policy within the key policy for decrypt action? I saw in IAM policy one can put the condition but in KMS key policy one can only put this for admin actions.
upvoted 1 times
Sickcnt
2 years ago
Here is an example of how to write a Key policy with MFA + also how to integrate the MFA itself into your application (so you can authenticate yourself in with your application) https://mariadb.com/kb/en/aws-key-management-encryption-plugin-advanced-usage/#using-a-multi-factor-authentication-mfa-device Key policy for MFA should look like this btw: "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "True" } },
upvoted 3 times
...
...
PeppaPig
3 years, 8 months ago
A is correct. Just to answer those questions around "each object with a unique key" Keep in mind that S3 applies envelop encryption, meaning that each object is NOT encrypted by your CMK directly. Instead each object is encrypted with a unique data key which is generated and also encrypted from your CMK
upvoted 16 times
...
SPKamal
3 years, 8 months ago
One of the requirements is "Each object must be encrypted using a unique key", is this possible usinf SSE-KMS? Only SSE-S3 has this feature right? Using other requirements option A looks to the one but this one is quite misleading.
upvoted 2 times
PeppaPig
3 years, 8 months ago
SSE-KMS ensures each object is encrypted with a unique data key generated and encrypted by your CMK. https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html When you use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key erver-Side Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS) is similar to SSE-S3
upvoted 3 times
...
...
Sirmeysam
3 years, 8 months ago
Seems like all of you agree on A but none of you mentioned how A supports individual encrypt the object using "a unique key"
upvoted 2 times
...
wzlinux
3 years, 8 months ago
I think there is no correct answer, A may be correct, but SSE-CMK can't encrypy the object using a unique key
upvoted 1 times
Donell
3 years, 8 months ago
Answer is A.(See the last line) Reference: https://jayendrapatil.com/tag/kms/ SSE-KMS provides the option to create and manage encryption keys yourself, or use a default customer master key (CMK) that is unique to you, the service you’re using, and the region you’re working in. Creating and Managing your own CMK gives you more flexibility, including the ability to create, rotate, disable, and define access controls, and to audit the encryption keys used to protect your data. Data keys used to encrypt your data are also encrypted and stored alongside the data they protect and are unique to each object
upvoted 2 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel