ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Data Analytics - Specialty All Questions

View all questions & answers for the AWS Certified Data Analytics - Specialty exam
Go to Exam

Exam AWS Certified Data Analytics - Specialty topic 1 question 129 discussion

Exam question from Amazon's AWS Certified Data Analytics - Specialty
Question #: 129
Topic #: 1
[All AWS Certified Data Analytics - Specialty Questions]

An online retail company uses Amazon Redshift to store historical sales transactions. The company is required to encrypt data at rest in the clusters to comply with the Payment Card Industry Data Security Standard (PCI DSS). A corporate governance policy mandates management of encryption keys using an on- premises hardware security module (HSM).
Which solution meets these requirements?

  • A. Create and manage encryption keys using AWS CloudHSM Classic. Launch an Amazon Redshift cluster in a VPC with the option to use CloudHSM Classic for key management.
  • B. Create a VPC and establish a VPN connection between the VPC and the on-premises network. Create an HSM connection and client certificate for the on- premises HSM. Launch a cluster in the VPC with the option to use the on-premises HSM to store keys.
  • C. Create an HSM connection and client certificate for the on-premises HSM. Enable HSM encryption on the existing unencrypted cluster by modifying the cluster. Connect to the VPC where the Amazon Redshift cluster resides from the on-premises network using a VPN.
  • D. Create a replica of the on-premises HSM in AWS CloudHSM. Launch a cluster in a VPC with the option to use CloudHSM to store keys.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by srinivasa at Oct. 25, 2021, 5:11 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
lakediver
Highly Voted 3 years, 4 months ago
I will go with B A- Wrong because on-premise HCM is required C- Encryption can not be enabled on the existing unencrypted cluster D - Redshift doesn't support AWS CloudHSM.
upvoted 18 times
...
srinivasa
Highly Voted 3 years, 5 months ago
Answer: B
upvoted 8 times
varun_5757
3 years, 5 months ago
Could you please explain why B is the best option? I See this link - https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html but it's not clear as to whether or not an On premises HSM can be used? - "Amazon Redshift supports only AWS CloudHSM Classic. We don't support the newer AWS CloudHSM service."
upvoted 1 times
ali98
3 years, 5 months ago
https://docs.aws.amazon.com/redshift/latest/mgmt/security-key-management.html Amazon Redshift supports management of encryption keys in external hardware security modules (HSMs). The HSM can be on-premises or can be AWS CloudHSM.
upvoted 2 times
...
Olga2022
3 years, 5 months ago
From my understanding AWS CloudHSM Classic is an old service and AWS CloudHSM is newer. So, Redshift supports old AWS CloudHSM Classic or on-premise HSM: https://docs.aws.amazon.com/redshift/latest/mgmt/security-key-management.html "The HSM can be on-premises or can be AWS CloudHSM. When you use an HSM, you must use client and server certificates to configure a trusted connection between Amazon Redshift and your HSM. Amazon Redshift supports only AWS CloudHSM Classic for key management." Agree the answer should be B
upvoted 2 times
...
...
...
pk349
Most Recent 2 years ago
B: I passed the test
upvoted 1 times
...
CleverMonkey092
2 years, 1 month ago
B for me
upvoted 1 times
...
cloudlearnerhere
2 years, 6 months ago
Correct answer is B as Redshift can be configured to use on-premises HSM using a VPN connection. Option A is wrong as AWS Classic CloudHSM does not meet the on-premises HSM requirement. Option C is wrong as enabling encryption on an existing cluster cannot be done with HSM. You can enable encryption when you launch your cluster, or you can modify an unencrypted cluster to use AWS Key Management Service (AWS KMS) encryption. To do so, you can use either an AWS-managed key or a customer managed key. When you modify your cluster to enable AWS KMS encryption, Amazon Redshift automatically migrates your data to a new encrypted cluster. Snapshots created from the encrypted cluster are also encrypted Option D is wrong as Redshift only supports classic CloudHSM.
upvoted 1 times
...
rocky48
2 years, 9 months ago
Selected Answer: B
Answer: B
upvoted 1 times
...
Teraxs
3 years ago
Selected Answer: B
B - https://docs.aws.amazon.com/redshift/latest/mgmt/security-key-management.html
upvoted 1 times
...
rav009
3 years, 3 months ago
C is wrong Because “When you modify your cluster to enable AWS KMS encryption, Amazon Redshift automatically migrates your data to a new encrypted cluster.”
upvoted 3 times
...
tobsam
3 years, 4 months ago
Answer is C.
upvoted 1 times
ali98
3 years, 4 months ago
You can't enable hardware security module (HSM) encryption by modifying the cluster. Instead, create a new, HSM-encrypted cluster and migrate your data to the new cluste
upvoted 1 times
...
...
DMK2021
3 years, 5 months ago
A : [Amazon Redshift supports only AWS CloudHSM Classic. We don't support the newer AWS CloudHSM service.] It looks like this is outdated question. see the article: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html#working-with-HSM
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago