ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 103 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 103
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company stores data on an Amazon EBS volume attached to an Amazon EC2 instance. The data is asynchronously replicated to an Amazon S3 bucket. Both the EBS volume and the S3 bucket are encrypted with the same AWS KMS Customer Master Key (CMK). A former employee scheduled a deletion of that CMK before leaving the company.
The company's Developer Operations department learns about this only after the CMK has been deleted.
Which steps must be taken to address this situation?

  • A. Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance.
  • B. Recover the data from the EBS encrypted volume using an earlier version of the KMS backing key.
  • C. Make a request to AWS Support to recover the S3 encrypted data.
  • D. Make a request to AWS Support to restore the deleted CMK, and use it to recover the data.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by duduga40 at Sept. 7, 2019, 6:53 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
INASR
Highly Voted 3 years, 7 months ago
because deleting CMK has no immediate effect on the EC2 instance or the EBS volume. The reason is that Amazon EC2 is using the plaintext data key—not the CMK—to encrypt all disk I/O while the volume is attached to the instance. However, when the encrypted EBS volume is detached from the EC2 instance, Amazon EBS removes the plaintext key from memory. The next time the encrypted EBS volume is attached to an EC2 instance, the attachment fails, because Amazon EBS cannot use the CMK to decrypt the volume's encrypted data key
upvoted 50 times
dfranco76
3 years, 6 months ago
Correct answer: A
upvoted 3 times
...
...
gft28
Highly Voted 3 years, 7 months ago
I think Danao works for AWS lol
upvoted 30 times
...
Deyemzy
Most Recent 11 months, 1 week ago
How is A the answer? This is not possible because the data is encrypted, and without the CMK, you cannot decrypt it.
upvoted 1 times
...
Raphaello
1 year, 3 months ago
Selected Answer: A
Correct answer is A. Well explained by INASR.
upvoted 1 times
...
ITGURU51
2 years, 1 month ago
The answer is A because we need to take a snapshot to recover data from the encrypted EBS volume. The question states that the original encryption key for the encrypted volume has been deleted.
upvoted 1 times
...
boooliyooo
2 years, 4 months ago
Selected Answer: A
official reference: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html "You perform an action that makes the KMS key unusable. This has no immediate effect on the EC2 instance or the EBS volume. Amazon EC2 is using the plaintext data key—not the KMS key—to encrypt all disk I/O while the volume is attached to the instance."
upvoted 2 times
...
ritears41
2 years, 9 months ago
Selected Answer: A
Correct answer: A
upvoted 1 times
...
fais1985
3 years, 6 months ago
A is Correct : You schedule the CMK for deletion, which makes it unusable. This has no immediate effect on the EC2 instance or the EBS volume, because Amazon EC2 is using the plaintext data key—not the CMK—to encrypt disk I/O to the EBS volume.
upvoted 1 times
...
sanjaym
3 years, 6 months ago
Ans: A
upvoted 1 times
...
durmusc
3 years, 6 months ago
Answer : A . data still in EBS volume. you should back it up before detaching
upvoted 3 times
...
NANDY666
3 years, 6 months ago
A is Correct
upvoted 2 times
...
devjava
3 years, 6 months ago
Ans > A https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html#deleting-keys-how-it-works
upvoted 1 times
...
AfricanCloudGuru
3 years, 6 months ago
Ans (A)
upvoted 2 times
...
Ayusef
3 years, 6 months ago
That guy is Kimo with a different name now I promise. On another note thank you to all the technical fellows here. When I am in doubt you all always clear things up and I hope my post of real world use on some of the questions help also. Maybe one day we will have a technical guild like the middle ages.
upvoted 3 times
...
Dic
3 years, 6 months ago
A, because the key will remain plain-text in the memory until the instance depatched
upvoted 3 times
...
wzlinux
3 years, 7 months ago
I will go with A
upvoted 1 times
...
gfhbox0083
3 years, 7 months ago
A, for sure.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago