Exam AWS Certified Security - Specialty topic 1 question 239 discussion

C is answer. You can not change key policy with option A. Option A: You can view the AWS managed CMKs in your account, view their key policies, and audit their use in AWS CloudTrail logs. However, you cannot manage these CMKs, rotate them, or change their key policies. And, you cannot use AWS managed CMKs in cryptographic operations directly; the service that creates them uses them on your behalf.

I understand that A has less operational overhead. But, the keys are not going to be separate, they are the same. When you select AWS Managed CMKs for S3, it will choose the aws/s3 CMK in your account, of which there is only one. So there is only one key. Further, it says "limit the key policies to allow encryption and decryption of the CMKs to their respective teams only" - how can you do that with an AWS Managed CMK? You can't. Therefore I'm sticking with C. I'm surprised, some names in the comments who I thought usually have trustworthy answers are siding with A, not sure why. Best to do your own research for each question I guess

I think B suffices the requirement, cause "data must always be separate" doesnt mean key should be separated?

A - the solution must also minimize operational overhead which it does with AWS managed CMKs. That's the only diff between A & C.

A - the solution must also minimize operational overhead which it does with AWS managed CMKs. That's the only diff between A & C.

A. Tell the application teams to use two different S3 buckets with separate AWS Key Management Service (AWS KMS) AWS managed CMKs. Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only. Force the teams to use encryption context to encrypt and decrypt. The security team should recommend using separate S3 buckets for each team with distinct AWS managed CMKs. This approach ensures data segregation and allows for fine-grained access control by limiting encryption and decryption permissions to the respective teams. By enforcing the use of encryption context during encryption and decryption operations, auditability of key usage can be achieved. This solution minimizes operational overhead while meeting the requirement of keeping the teams' data separate and auditable. Option C introduces the use of customer managed CMKs, which may increase operational overhead, as the security team would need to manage and rotate the CMKs for each team.

option A: Tell the application teams to use two different S3 buckets with separate AWS Key Management Service (AWS KMS) AWS managed customer master keys (CMKs). Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only. Force the teams to use encryption context to encrypt and decrypt.

The best way to audit the key is to create a single key for each group. That way we can limit who gets to encrypt and decrypt the data. The question is testing your ability to follow the principal of least privilege. C

This approach ensures that the data of both teams is always separate, as each team has its own S3 bucket and CMK. Additionally, the key policies can be limited to only allow encryption and decryption of the CMKs to their respective teams, ensuring that the data cannot be accessed by the wrong team. Enforcing the use of encryption context ensures that the teams are using the keys correctly and helps prevent unauthorized access. Finally, using AWS managed CMKs instead of customer managed CMKs minimizes operational overhead, as AWS automatically manages the key rotation and other maintenance tasks. Option B is not recommended as it does not ensure that the data of both teams is always separate. Option C is a good alternative, but using AWS managed CMKs is preferable to minimize operational overhead. Option D is not recommended as it does not enforce the use of encryption context, which is important for security.

Firstly, using AWS managed CMKs may not provide as much control over the key as using customer managed CMKs, as it is managed by AWS and not the security team. Secondly, while using encryption context is a good practice to ensure proper encryption and decryption of the data and to track key usage, it adds an additional layer of complexity to the process, which may increase the operational overhead. In some cases, the added complexity may be unnecessary and the security team could use other security controls to achieve the same level of security. Finally, while separating the data in different S3 bucket is a good practice, it may not be enough to separate the teams data, as the encryption key is shared among all the data in the bucket. So, even though the data is separate, the key is not. For those reasons, option C is the more optimal choice for this scenario.

* Each team's data must always be separate : two keys * Sensitive data : two keys * limit the key policies to allow encryption and decryption of the CMKs to their respective teams only : only doable with Customer CMKs

I think C, agree with @skipbaylessfor3

Answer is C

C. different S3 buckets with separate AWS Key Management Service (AWS KMS)

Let AWS manage the key to "reduce operating costs"; and with separate S3, there is no need of having the complexity (an operating cost) of using encryption context.

I think C makes the most sense, i would want to have more control over the key , so its customer managed.

limit the key policies to allow encryption and decryption of the CMKs to their respective teams only --> 2 separate Keys --> Customer Managed Key and 2 separate S3 buckets Answer is C