ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 21 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 21
Topic #: 1
[All AWS Certified Security - Specialty Questions]

An organization has a system in AWS that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes.
A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.
Which solution would remediate the audit finding while minimizing the effort required?

  • A. Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.
  • B. Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.
  • C. Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service's servers.
  • D. Create a new VPC with an Amazon VPC VPN endpoint, and update the web service's DNS record.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by BillyC at Aug. 27, 2019, 11:44 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
josellama2000
Highly Voted 3 years, 8 months ago
A is incorrect. You can upload a SSL Certificate to a IAM. But when setting the cert up on cloundfront you will use the Cert path (a paraphrase if any will have to be provided bhy the client) https://aws.amazon.com/premiumsupport/knowledge-center/import-ssl-certificate-to-iam/ B is incorrect. This option will required a script or a change in the app code. KMS.Encrypt() is a function from the aws-sdk that can be used inside your code. KMS.Encrypt() and KMS.Dencrypt() are used on the client's side. C is correct. D may wotk but will required more effort than C
upvoted 47 times
Smartphone
3 years, 8 months ago
Well explained!
upvoted 1 times
...
ChauPhan
3 years, 7 months ago
For B. KMS.Encrypt() and Decrypt() is a method to encrypt and decrypt the data key, not application data itself. And the data key cannot over 4Kb The data key (<=4KB) will be used to encrypt/decrypt your LARGE application data. But how protect this data key? That's why it is also encrypted by KMS.Encrypt() and Decrypt() Flow: Master key (CKM) --> Encrypt/Decrypt data key --> Encrypt/Decrypt your real application data Envelope encryption When you encrypt your data, your data is protected, but you have to protect your encryption key. One strategy is to encrypt it. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.
upvoted 2 times
...
Bach999
3 years, 8 months ago
B is wrong because it doesn't support file size up to several megabytes. If file size is greater than 4k bytes, we must use 'envelope encryption' (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping)
upvoted 8 times
certking
3 years, 7 months ago
good point, the 4kb limit is mentioned in https://docs.aws.amazon.com/kms/latest/developerguide/programming-encryption.html
upvoted 2 times
...
GeeBeeEl
3 years, 7 months ago
Hi Bach I am not sure the meaning of envelope encryption as you seem to have used it.
upvoted 2 times
...
...
...
BillyC
Highly Voted 3 years, 8 months ago
C is Correct!
upvoted 17 times
...
gsax
Most Recent 1 year, 9 months ago
Please explain, I am using a laptop on untrusted network. How come files are encrypted once they leave laptop and reach ELB as explained in "C". This is poorly worded question.
upvoted 1 times
...
AWS_Noob
2 years, 4 months ago
Selected Answer: C
"File sizes vary from a few kilobytes to several megabytes." That's the key statement. Based on this, we know that 4kb is the limit. Leaving C as the only answer
upvoted 1 times
...
Mr__
2 years, 8 months ago
Selected Answer: C
C is correct
upvoted 1 times
...
Radhaghosh
3 years, 4 months ago
Option C --> Low cost, low overhead, best solution
upvoted 1 times
...
jj22222
3 years, 5 months ago
Selected Answer: C
SSL for encryp in transit
upvoted 1 times
...
NSF2
3 years, 7 months ago
So the remote workers are submitting data files, but not mentioned anything about whether it is through the web. So it is not sure whether C is the correct answer as creating SSL offloading doesn't do anything unless its HTTPS.
upvoted 5 times
Ayusef
3 years, 5 months ago
I agree this question is poorly worded.
upvoted 5 times
...
...
SlayerB
3 years, 7 months ago
A. Upload an SSL certificate to IAM - this wont help encrypt the data in transit. Over Internet + In Transit means a secure connection like TLS B. Call KMS.Encrypt() in the client - KMS.Encrypt is for at-rest no in-transit C. Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing - ELB means web traffic, cert on web traffic can enable HTTPs. Winner. D. Create a new VPC with an Amazon VPC VPN endpoint, and update the web serviceג€™s DNS record. - just no
upvoted 1 times
...
sanjaym
3 years, 7 months ago
Ans: C 100%
upvoted 2 times
...
apartha77
3 years, 7 months ago
C is correct
upvoted 1 times
...
devjava
3 years, 7 months ago
Ans > C
upvoted 1 times
...
AfricanCloudGuru
3 years, 7 months ago
Ans(C) Issue Certificate Manager to Elastic Load Balancer infront f EC2 instances
upvoted 2 times
GeeBeeEl
3 years, 7 months ago
Is this for outbound data? Because if it is for inbound data, it means the data came in without been encrypted. Attempting to encrypt at the ELB is late, you should be decrypting at the ELB!!!
upvoted 2 times
...
...
Buggie
3 years, 7 months ago
C it is
upvoted 1 times
...
tomtom2020
3 years, 7 months ago
Yes, it's "C"
upvoted 1 times
...
RaySmith
3 years, 8 months ago
C is correct
upvoted 1 times
...
RaySmith
3 years, 8 months ago
A is correct
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel