ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Database - Specialty All Questions

View all questions & answers for the AWS Certified Database - Specialty exam
Go to Exam

Exam AWS Certified Database - Specialty topic 1 question 157 discussion

Exam question from Amazon's AWS Certified Database - Specialty
Question #: 157
Topic #: 1
[All AWS Certified Database - Specialty Questions]

A financial services company uses Amazon RDS for Oracle with Transparent Data Encryption (TDE). The company is required to encrypt its data at rest at all times. The key required to decrypt the data has to be highly available, and access to the key must be limited. As a regulatory requirement, the company must have the ability to rotate the encryption key on demand. The company must be able to make the key unusable if any potential security breaches are spotted. The company also needs to accomplish these tasks with minimum overhead.
What should the database administrator use to set up the encryption to meet these requirements?

  • A. AWS CloudHSM
  • B. AWS Key Management Service (AWS KMS) with an AWS managed key
  • C. AWS Key Management Service (AWS KMS) with server-side encryption
  • D. AWS Key Management Service (AWS KMS) CMK with customer-provided material
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by leunamE at Nov. 9, 2021, 11:52 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Dantas
Highly Voted 3 years, 2 months ago
Selected Answer: D
Key rotation ✓ Key deletion ✓ Minimal overhead ✓
upvoted 6 times
...
Pranava_GCP
Most Recent 1 year, 8 months ago
Selected Answer: D
D. AWS Key Management Service (AWS KMS) CMK with customer-provided material https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt "The KMS keys that you create are customer managed keys. Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the KMS keys, and scheduling the KMS keys for deletion. "
upvoted 2 times
...
SamDDD
1 year, 11 months ago
Could be A: https://aws.amazon.com/blogs/security/aws-cloudhsm-is-now-integrated-with-amazon-rds-for-oracle-and-provides-enhanced-management-tools/ Hesitant as I cannot figure out how to rotate the keys in CloudHSM
upvoted 1 times
Germaneli
1 year, 8 months ago
Overhead for CloudHSM is exorbitant. This is not an option.
upvoted 1 times
...
...
lollyj
2 years, 5 months ago
Selected Answer: C
It was a toss between C and D however SSE provides less overhead and maintenance than D. I could be wrong.
upvoted 1 times
...
rags1482
2 years, 7 months ago
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the KMS keys, and scheduling the KMS keys for deletion. Answer D
upvoted 3 times
...
shammous
2 years, 9 months ago
For those mentioning HSM: "You cannot use an Oracle instance in Amazon Relational Database Service (Amazon RDS) to integrate with AWS CloudHSM. You must install Oracle Database on an Amazon EC2 instance." Ref: https://docs.aws.amazon.com/cloudhsm/latest/userguide/oracle-tde.html This eliminates answer A. The key words that would make me choose answer D is "Rotate encryption key on demand". Only CMK allows to do that. AWS managed key are automatically rotated every 1 year and the organization can't change that.
upvoted 3 times
...
Chirantan
2 years, 11 months ago
Could be A Enable transparent data encryption (TDE) for Oracle databases Copy Plain Link[] l : t - s[] t - s - l Some versions of Oracle's database software offer a feature called Transparent Data Encryption (TDE). With TDE, the database software encrypts data before storing it on disk. The data in the database's table columns or tablespaces is encrypted with a table key or tablespace key. These keys are encrypted with the TDE master encryption key. You can store the TDE master encryption key in the HSMs in your AWS CloudHSM cluster, which provides additional security. https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html#transparent-data-encryption
upvoted 1 times
...
sachin
2 years, 11 months ago
Could be A because Cloud HSM is recently added to Oracle RDS https://aws.amazon.com/blogs/security/aws-cloudhsm-is-now-integrated-with-amazon-rds-for-oracle-and-provides-enhanced-management-tools/
upvoted 1 times
backbencher2022
2 years, 2 months ago
Sachin, please read the update on Nov 24 2021 for the same blog post (https://aws.amazon.com/blogs/security/aws-cloudhsm-is-now-integrated-with-amazon-rds-for-oracle-and-provides-enhanced-management-tools/). AWS CloudHSM Classic used to support RDS Oracle however, AWS CloudHSM Classic has been discontinued and replaced by AWS CloudHSM which supports HSM with EC2 only not RDS. First paragraph of this blog clearly says it - November 24, 2021: This blog post announced a feature of AWS CloudHSM Classic which integrated with Amazon RDS for Oracle to provide customers with an easy integration for Transparent Data Encryption (TDE). The AWS CloudHSM team have since released AWS CloudHSM, and this feature is no longer available. For updated options, please see out this blog post: https://aws.amazon.com/blogs/security/architecting-for-database-encryption-on-aws/.
upvoted 1 times
...
...
sachin
2 years, 11 months ago
Will go with D
upvoted 2 times
...
novice_expert
3 years, 1 month ago
Selected Answer: D
KMS CMK
upvoted 3 times
...
mike3g2000
3 years, 3 months ago
This one A for me: https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html
upvoted 1 times
mike3g2000
3 years, 2 months ago
You can't use cloudHSM with RDS, database has to be on ec2. D is the correct answer.
upvoted 2 times
DevoteamAnalytix
2 years, 11 months ago
Sure? https://aws.amazon.com/de/blogs/security/aws-cloudhsm-is-now-integrated-with-amazon-rds-for-oracle-and-provides-enhanced-management-tools/
upvoted 2 times
...
...
...
tugboat
3 years, 3 months ago
Selected Answer: D
Per - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html You must manage different keys for each encryption method.
upvoted 3 times
...
kped21
3 years, 3 months ago
D - CMK
upvoted 2 times
...
toppic26
3 years, 6 months ago
Look at rotation: Customer managed have on demand. Question asks for it https://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/aws-managed-and-customer-managed-cmks.html
upvoted 3 times
...
hemantr
3 years, 6 months ago
D. https://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/aws-managed-and-customer-managed-cmks.html
upvoted 3 times
...
leunamE
3 years, 7 months ago
D. AWS Key Management Service (AWS KMS) CMK with customer-provided material
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel