ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 75 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 75
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

You are designing a personal document-archiving solution for your global enterprise with thousands of employees. Each employee has potentially gigabytes of data to be backed up in this archiving solution. The solution will be exposed to the employees as an application, where they can just drag and drop their files to the archiving system. Employees can retrieve their archives through a web interface. The corporate network has high bandwidth AWS Direct Connect connectivity to
AWS.
You have a regulatory requirement that all data needs to be encrypted before being uploaded to the cloud.
How do you implement this in a highly available and cost-efficient way?

  • A. Manage encryption keys on-premises in an encrypted relational database. Set up an on-premises server with sufficient storage to temporarily store files, and then upload them to Amazon S3, providing a client-side master key.
  • B. Mange encryption keys in a Hardware Security Module (HSM) appliance on-premises serve r with sufficient storage to temporarily store, encrypt, and upload files directly into Amazon Glacier.
  • C. Manage encryption keys in Amazon Key Management Service (KMS), upload to Amazon Simple Storage Service (S3) with client-side encryption using a KMS customer master key ID, and configure Amazon S3 lifecycle policies to store each object using the Amazon Glacier storage tier.
  • D. Manage encryption keys in an AWS CloudHSM appliance. Encrypt files prior to uploading on the employee desktop, and then upload directly into Amazon Glacier.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by TaherShaker at March 18, 2021, 11:02 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
cldy
Highly Voted 3 years, 6 months ago
C. Amazon S3 Encryption Client + KMS https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html
upvoted 7 times
...
amministrazione
Most Recent 8 months, 3 weeks ago
C. Manage encryption keys in Amazon Key Management Service (KMS), upload to Amazon Simple Storage Service (S3) with client-side encryption using a KMS customer master key ID, and configure Amazon S3 lifecycle policies to store each object using the Amazon Glacier storage tier.
upvoted 1 times
...
TravelKo
1 year, 9 months ago
Selected Answer: B
I will go with B, encrypt the file before sending those to cloud.
upvoted 1 times
...
TigerInTheCloud
2 years, 4 months ago
Selected Answer: C
Key words: "thousands of employees", "archiving", "encrypted before being uploaded", "highly available", and "cost-efficient". A. not good, encryption in the cloud. B. Doable by on-premises HSM is not cheap. C. Beter than B, reduce the key management cost. The encryption is on client side with the key managed in KMS (https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html) D. ClouldHSM is more expensive than KMS. Managing load to Glacier directly is not more complex than utilizing the S3 life-cycle to the work. Also granting a user access to his/her own document is easy with S3.
upvoted 2 times
...
evgeng
2 years, 5 months ago
How could it be C? https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html The encryption is happening on the Cloud... And it does not matter that it is encrypted in transit as it is encrypted by TLS over HTTP. However, it appear unencrypted on S3 before it is encrypted with client provided key... https://awsinfographics.s3.amazonaws.com/S3_Encryption_Infographic.png
upvoted 1 times
jack_melvin
1 year, 8 months ago
C is Client side encryption, which means files are encrypted in client side before uploaded to S3. Your link to ServerSideEncryptionCustomerKeys is different thing.
upvoted 1 times
...
...
AMKazi
3 years, 3 months ago
C: client side encryption will ensure data is encrypted in transit as well
upvoted 2 times
...
cldy
3 years, 4 months ago
C: Amazon S3 Encryption Client + KMS
upvoted 1 times
...
Ni_yot
3 years, 4 months ago
C for me. AWS KMS and Client side Enc
upvoted 1 times
...
nwk
3 years, 6 months ago
https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html
upvoted 1 times
...
01037
3 years, 6 months ago
Yes C Glacier isn't necessary.
upvoted 1 times
Jonfernz
3 years, 1 month ago
C is the answer but not because Glacier isn't necessary. The objects need to go through S3 first for client-side encryption before they are moved the Glacier. That's why C is the answer.
upvoted 1 times
...
...
TaherShaker
3 years, 7 months ago
You can use the Amazon S3 Encryption Client in the AWS SDK in your own application to encrypt objects and upload them to Amazon S3. This method allows you to encrypt your data locally to ensure its security as it passes to the Amazon S3 service. The Amazon S3 service receives your encrypted data; it does not play a role in encrypting or decrypting it. The Amazon S3 Encryption Client encrypts the object by using envelope encryption. The client calls AWS KMS as a part of the encryption call you make when you pass your data to the client. AWS KMS verifies that you are authorized to use the customer master key (CMK) that you specify and, if so, returns a new plaintext data key and the data key encrypted under the CMK. The Amazon S3 Encryption Client encrypts the data by using the plaintext key and then deletes the key from memory. The encrypted data key is sent to Amazon S3 to store alongside your encrypted data. References: https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago