Exam AWS Certified Security - Specialty topic 1 question 77 discussion

Answer is D: Amazon EBS volumes are presented to you as raw unformatted block devices that have been wiped prior to being made available for use. Wiping occurs immediately before reuse so that you can be assured that the wipe process completed. If you have procedures requiring that all data be wiped via a specific method, such as those detailed in NIST 800-88 (“Guidelines for Media Sanitization”), you have the ability to do so on Amazon EBS. You should conduct a specialized wipe procedure prior to deleting the volume for compliance with your established requirements.

Correct is B A is incorrect. Double encrypting the data is useless B is correct. AWS automatically wipes out the volume after the customer release the volume, it also deleted the encryption key. So data recoverable level is low. C is incorrect. The encryption key is automatically delete after releasing the volume D is incorrect. OS's delete and quick-format are useless because data can be recover easily. Note- Any specialized wipe procedure like DoD 5220.22-M or NIST-800-88 must be executed prior to deleting the volume

If your EBS volumes were encrypted with a Customer Managed Key (CMK) in AWS KMS: Deleting (or disabling) the CMK makes the data on the EBS volume permanently unreadable. Without the encryption key, the encrypted data cannot be decrypted by anyone — including AWS. Once the key is destroyed, you can safely release the volumes back to AWS, knowing that no one can decrypt the contents. D is not right because: OS-level delete and quick format only remove file pointers data can still potentially be recovered.

Correct answer is D.

C - Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to AWS When releasing EBS, if encryption key is destroyed, then when it comes to attach EBS again, you'll not be able to decrypt data anymore, so I think C is the best answer.

The problem with C is the key would have to be customer managed, and you would have to have a different key for every volume, the questions says nothing about CMKs. A quick format (D) does nothing - it does not overwrite data in either Windows or Linux.

Answer is C

Answer is C: Read the full context of the question: example.com used to use EBS but has switched to S3. This is a one-off event to securely release a bunch of EBS data that now lives on S3. Therefore, the 7 day charge to delete the key is perfectly acceptable to protect the data. The ONLY answer provided that *SECURELY* destroys all the data on those volumes *BEFORE* releasing them is deleting the encryption key--in this context, destroying the key is equivalent to destroying the files, since there is no way to recover them.

When an Amazon EBS volume is deleted or released, the data on the volume is not immediately erased. Instead, the space that was occupied by the data is marked as available for use, but the actual data may still be present on the physical media. To ensure that the data is completely wiped and is not accessible by anyone else, AWS uses a process called "secure erase". AWS recommends that customers take steps to ensure that sensitive data is not stored on EBS volumes or any other storage device for longer than necessary. When the data is no longer required, the volume should be deleted or released, and if necessary, the data should be securely erased using the secure erase feature provided by AWS. I'll go with C

Guys objective of this cert is to get knowledge of AWS managed services, offerings and convey to community. Technically it make more sense to zero fill the drive and then release but if you think from AWS EBS offering preservative, AWS is advertising that we do this wipe and cleanup by our-self when volume is deleted, so right option from AWS exam point of view is "B".

B is correct answer. AWS wipes data before reuse.

Answer is C After you remove the EBS volume, its gone and no one else can access it so C makes perfect sense because your are deleteing the keys to encrypt the data then AWS will delete the volume after you have detached it and it cant be attached to anything else https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-deleting-volume.html

A. Changing encryption is unnecessary. B. AWS wipes data but before re-use. Here requirement that data is unreadable before releasing. C. Sound reasonable as if encryption key is deleted, encrypted data key stored on EBS can't be recovered and hence data can't be recovered. D. OS delete command will not help, specialised wipe procedure is needed instead.

If my managers explicitely ask me to ensure that '' all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks'' they would be quite unhappy if I released directly the disks to AWS, without deleting the data prior to that.

Option B is correct, but option C is more complete and secure. In my option option D is incorrect because if you just delete data and quick format you can recover data using specialized tool. In order avoid that you should degauss the disk.

I chose the answer C based on the only question asked. "Which of the following approaches will assure that no one else can read the data?" If you delete the key, no one else can read the data.

if the key is deleted, data will be not accessible to anyone. hence, deleting a key is equivalent to deletion of data. This is a full-proof solution. hence, C.