Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 682 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional

Question #: 682
Topic #: 1

[All AWS Certified Solutions Architect - Professional Questions]

A media company is serving video files stored in Amazon S3 using Amazon CloudFront. The development team needs access to the logs to diagnose faults and perform service monitoring. The log files from CloudFront may contain sensitive information about users.
The company uses a log processing service to remove sensitive information before making the logs available to the development team. The company has the following requirements for the unprocessed logs:
✑ The logs must be encrypted at rest and must be accessible by the log processing service only.
✑ Only the data protection team can control access to the unprocessed log files.
✑ AWS CloudFormation templates must be stored in AWS CodeCommit.
✑ AWS CodePipeline must be triggered on commit to perform updates made to CloudFormation templates.
CloudFront is already writing the unprocessed logs to an Amazon S3 bucket, and the log processing service is operating against this S3 bucket.

Which combination of steps should a solutions architect take to meet the company's requirements? (Choose two.)

A. Create an AWS KMS key that allows the AWS Logs Delivery account to generate data keys for encryption Configure S3 default encryption to use server-side encryption with KMS managed keys (SSE-KMS) on the log storage bucket using the new KMS key. Modify the KMS key policy to allow the log processing service to perform decrypt operations.
B. Create an AWS KMS key that follows the CloudFront service role to generate data keys for encryption Configure S3 default encryption to use KMS managed keys (SSE-KMS) on the log storage bucket using the new KMS key Modify the KMS key policy to allow the log processing service to perform decrypt operations.
C. Configure S3 default encryption to use AWS KMS managed keys (SSE-KMS) on the log storage bucket using the AWS Managed S3 KMS key. Modify the KMS key policy to allow the CloudFront service role to generate data keys for encryption Modify the KMS key policy to allow the log processing service to perform decrypt operations.
D. Create a new CodeCommit repository for the AWS KMS key template. Create an IAM policy to allow commits to the new repository and attach it to the data protection team's users. Create a new CodePipeline pipeline with a custom IAM role to perform KMS key updates using CloudFormation Modify the KMS key policy to allow the CodePipeline IAM role to modify the key policy.
E. Use the existing CodeCommit repository for the AWS KMS key template. Create an IAM policy to allow commits to the new repository and attach it to the data protection team's users. Modify the existing CodePipeline pipeline to use a custom IAM role and to perform KMS key updates using CloudFormation. Modify the KMS key policy to allow the CodePipeline IAM role to modify the key policy.

Show Suggested Answer

Suggested Answer: AD 🗳️

by sek12324 at March 14, 2021, 8:56 p.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

Mrflip

Highly Voted 3 years, 8 months ago

AD `There is no such Role called Cloudfront service link role. Cloudfront uses the awslogsdelivery to deliver logs to s3 bucket -> https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership

upvoted 13 times

LCC92

3 years, 7 months ago

From the link Meflip gives: If you enabled server-side encryption for your Amazon S3 bucket using AWS KMS-managed keys (SSE-KMS) with a customer-managed Customer Master Key (CMK), you must add the following to the key policy for your CMK to enable writing log files to the bucket. You cannot use the default CMK because CloudFront won't be able to upload the log files to the bucket. { "Sid": "Allow CloudFront Flow Logs to use the key", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "kms:GenerateDataKey*", "Resource": "*" }

upvoted 3 times

...

SD13

Highly Voted 3 years, 8 months ago

B & D : These are correct options — If you enabled server-side encryption for your Amazon S3 bucket using AWS KMS-managed keys (SSE-KMS) with a customer-managed Customer Master Key (CMK), you must add the following to the key policy for your CMK to enable writing log files to the bucket. You cannot use the default CMK because CloudFront won't be able to upload the log files to the bucket. URL : https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsKMSPermissions

upvoted 11 times

pablobairat

3 years, 7 months ago

According to that link and the paragraph you have pasted, the correct answers are C & D

upvoted 1 times

bobsmith2000

3 years ago

C is wrong. You cannot modify a key policy of a AWS managed KMS key. https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk

upvoted 3 times

...

kiwtirApp

Most Recent 1 year, 7 months ago

Selected Answer: BD

fuk u that's why

upvoted 1 times

...

ryu10_09

3 years, 6 months ago

according to AWS: If the S3 bucket for your standard logs uses server-side encryption with AWS KMS keys (SSE-KMS) using a customer managed key, you must add the following statement to the key policy for your customer managed key. This allows CloudFront to write log files to the bucket. (You can’t use SSE-KMS with the AWS managed key because CloudFront won’t be able to write log files to the bucket.) with this I go with A&D

upvoted 2 times

bobsmith2000

3 years ago

There's no such thing as "AWS Logs Delivery account". It's a service

upvoted 3 times

...

student22

3 years, 7 months ago

A,D AWS Logs Delivery account + new repository

upvoted 3 times

...

andylogan

3 years, 7 months ago

It's A D as tgv's comment

upvoted 1 times

...

Kopa

3 years, 7 months ago

Coorect A, D

upvoted 2 times

...

tgv

3 years, 7 months ago

AAA DDD --- CloudFront service role doesn't exist. It uses "delivery.logs.amazonaws.com" which is the "awslogsdelivery account" ---> https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html

upvoted 6 times

...

blackgamer

3 years, 7 months ago

B &has D for me.

upvoted 1 times

blackgamer

3 years, 7 months ago

Change to A& D after reading this document. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html

upvoted 1 times

...

denccc

3 years, 7 months ago

B and D

upvoted 1 times

...

WhyIronMan

3 years, 7 months ago

I'll go with B,D

upvoted 2 times

...

Waiweng

3 years, 7 months ago

it's A&D, no such thing as cloudfront service role

upvoted 7 times

DashL

3 years, 7 months ago

Whichever service delivers logs to S3 needs to have permission to use the CMK. In this case CloudFront delivers the logs to AWS Logs Delivery account. Then AWS Logs Delivery account delivers the logs to S3. In this case, CloudFront doesn't encrypt the logs - the AWS Logs Delivery account does. CloudFront isn't even aware of the fact that the logs are being encrypted.

upvoted 5 times

...