Exam AWS Certified Security - Specialty topic 1 question 297 discussion

Its AEF. When creating a S3 bucket you have these options for encryption. Server-side encryption [ enable, disable] - select Enable Encryption key type as - you have 2 options as below 1 - Amazon S3 key (SSE-S3) 2 - AWS Key Management Service key (SSE-KMS) select option 2 here then under AWS KMS key you have these 2 options to select. 1 AWS managed key (aws/s3) 2 Choose from your AWS KMS keys so select option 2 and use the CMK you created in A

AEF Customer Managed KMS

Correct answers are AEF.

AEF is the answer

ABF B => https://docs.aws.amazon.com/ko_kr/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html

A,E,F A+B = Wong and can't be combined together since the KEY with SSE-C is provided from the client and never stored in AWS

jayai might be right about the options in the console, but SSE-C encryption is still possible. https://aws.amazon.com/about-aws/whats-new/2014/06/12/amazon-s3-now-supports-server-side-encryption-with-customer-provided-keys-sse-c/ "By using server-side encryption with customer-provided keys (SSE-C), you can store your own encryption keys." I think that this is what the phrase "all objects in the S3 bucket must be encrypted by a key that the company controls." points to. https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html Finally, here is the info that u cannot use the console: You cannot use the Amazon S3 console to upload an object and request SSE-C. You also cannot use the console to update (for example, change the storage class or add metadata) an existing object stored using SSE-C. https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html#specifying-s3-c-encryption

A, B and F are the steps that a security engineer should take to meet the company's new security requirements. A: Create a new customer-managed CMK in AWS Key Management Service (AWS KMS) to control the encryption key. B: Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided encryption keys (SSE-C) in order for the company to control the encryption keys. F: Change all the S3 objects in the bucket to use the new encryption key. C and D are not necessary as the PHP SDK does not need to use the SSE-S3 key to encrypt the data as the SSE-C will be used for encryption. E is not necessary as well as the company wants to control the encryption keys and not use AWS managed CMK for Amazon S3.

AEF is correct

In Option A - it says to create customer managed CMK and Option D talks about AWS Managed CMK......not the correct answers

ABEF i think answer mis typed, e should be aws managed which points definate answer to abf

Base on new request is need a custome-managed encryption Between A & D , A is better, Between B & E, E is better. F is for appling new encryption. C is rule out

https://aws.amazon.com/blogs/storage/changing-your-amazon-s3-encryption-from-s3-managed-encryption-sse-s3-to-aws-key-management-service-sse-kms/

B,C,F Tricky question I was reading about SSE-C So: A: contents must be encrypted using a key that the enterprise owns so we should import key? B: Yes check the link you can change the policy to accept SSE-C C: Yes in the link are examples using SDK with Java and .NET and PHP works too. D: No, enterprise own. E: No we are going to use SSE-C F: Yes its possible with the SDK https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html The Q do not say anything to that the keys that they have are in KMS

Options A, B and F for me.

Wording of the question is lame ... and I am not an english speaker. It makes you think that it is customer-provided encryption keys (SSE-C), but then you are forced to choose KMS in addition to SSE-C to offer three choices, but does not make any sense. AEF So fallback to Customer Managed KMS CMK

B is wrong cz you cant choose SSE-C in settings, you just provide it via api call C is wrong, cz it doesnt make sense SSE-S3 does not require change in the client D AWS managed CMK is not what is required