ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 315 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 315
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots.
After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the AWS account was compromised and Amazon EBS snapshots were deleted.
All EBS snapshots are encrypted using an AWS KMS CMK.
Which solution would solve this problem?

  • A. Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion.
  • B. Use AWS Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.
  • C. Create a new AWS account with limited privileges. Allow the new account to access the AWS KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recurring basis.
  • D. Use AWS Backup to copy EBS snapshots to Amazon S3.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Master455 at Jan. 4, 2022, 5:28 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
sapien45
Highly Voted 2 years, 11 months ago
Selected Answer: C
We use this strategy
upvoted 5 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: A
Option A seems very good solution to me! C is a fine solution, but why not A? What makes A less appealing that C?!!! In fact, using Glacier Vault Lock is the ONLY way to protect against data deletion, and even after moving snapshots/backups to a different account, Glacier Vault Lock would be required to protect against data deletion from the new account.
upvoted 1 times
...
SKS
2 years ago
I think D could be right answer , wonder why no one focused on that https://aws.amazon.com/getting-started/hands-on/amazon-ebs-backup-and-restore-using-aws-backup/
upvoted 3 times
...
ITGURU51
2 years, 2 months ago
The question states that all EBS snapshots are encrypted using an AWS KMS CMK. C is the only answer that implies that the encrypted snapshot must be decrypted using the CMK.
upvoted 1 times
...
TigerInTheCloud
3 years, 2 months ago
Selected Answer: C
C is the answer. In the AWS document https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/event-policy.html, "[a]utomating cross-account snapshot copies ... enables you to protect yourself against data loss in the event of your account being compromised." Answer A may prevent the deletion but what if the KMS is deleted without being noticed by anyone. Also, the restoring process is harder to be implemented.
upvoted 4 times
Tofu13
2 years, 1 month ago
C seems to be right. But what happens if the KMS key on the compromised account gets deleted in this case? U don't have a copy of the key, but just the right to access the key. But after deletion, that access will not work any longer. Am I getting it wrong?
upvoted 1 times
...
...
ideoignus
3 years, 4 months ago
Selected Answer: C
A - the s3 bucket is not visible or manageable by user B - system manager run command cannot distribute snapshot copies - data life cycle manager does that D - AWS Backup does not publish its use of S3 and does not publish its storage mechanisms other than backup vaults C - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html
upvoted 4 times
...
Radhaghosh
3 years, 5 months ago
C is the correct answer
upvoted 1 times
...
AWS_Dude
3 years, 5 months ago
B and C are correct however the question is asking which answer is MOST effective. That would be C since it's more secure architecture.
upvoted 1 times
AWS_Dude
3 years, 5 months ago
C is correct but to add to this, D is not correct because although AWS Backup is great for securing backups the answer says it pushes the snapshots to S3 which could be deleted if the account is compromised. Now if the answer said it was using AWS Backup with a VaultLock then it would be the correct answer since using the vault lock stops anyone from deleting it. https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html
upvoted 2 times
...
...
ggx
3 years, 5 months ago
C is the right answer. Create a recovery account/region with limited access, and you need the same CMK key to decrypt data in recovery account
upvoted 1 times
...
babaseun
3 years, 6 months ago
C....... https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/event-policy.html
upvoted 2 times
...
argol
3 years, 6 months ago
https://aws.amazon.com/blogs/compute/automating-the-creation-of-consistent-amazon-ebs-snapshots-with-amazon-ec2-systems-manager-part-1/ "B" is the answer
upvoted 1 times
...
zenek666
3 years, 6 months ago
C is the correct answer
upvoted 2 times
...
Master455
3 years, 6 months ago
A for me
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel