exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam

Exam AWS Certified Security - Specialty topic 1 question 297 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 297
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has a PHP-based web application that uses Amazon S3 as an object store for user files. The S3 bucket that stores the files is configured for server- side encryption with S3 managed encryption keys (SSE-S3).
According to new security requirements, the company must control all encryption keys. Additionally, all objects in the S3 bucket must be encrypted by a key that the company controls.
Which combination of steps must a security engineer take to meet these requirements? (Choose three.)

  • A. Create a new-customer managed CMK in AWS Key Management Service (AWS KMS).
  • B. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided encryption keys (SSE-C).
  • C. Configure the PHP SDK to use the SSE-S3 key to encrypt the data before the data is uploaded to Amazon S3.
  • D. Create an AWS managed CMK for Amazon S3 in AWS Key Management Service (AWS KMS).
  • E. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
  • F. Change all the S3 objects in the bucket to use the new encryption key.
Show Suggested Answer Hide Answer
Suggested Answer: AEF 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
jayaj
Highly Voted 3 years, 5 months ago
Its AEF. When creating a S3 bucket you have these options for encryption. Server-side encryption [ enable, disable] - select Enable Encryption key type as - you have 2 options as below 1 - Amazon S3 key (SSE-S3) 2 - AWS Key Management Service key (SSE-KMS) select option 2 here then under AWS KMS key you have these 2 options to select. 1 AWS managed key (aws/s3) 2 Choose from your AWS KMS keys so select option 2 and use the CMK you created in A
upvoted 20 times
sapien45
2 years, 10 months ago
Best answer here.
upvoted 2 times
...
...
RamKun
Highly Voted 3 years, 6 months ago
AEF Customer Managed KMS
upvoted 10 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: AEF
Correct answers are AEF.
upvoted 1 times
...
EDD09876
1 year, 5 months ago
Selected Answer: AEF
AEF is the answer
upvoted 1 times
...
howchan
1 year, 7 months ago
Selected Answer: ABF
ABF B => https://docs.aws.amazon.com/ko_kr/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
upvoted 2 times
...
Toptip
2 years, 1 month ago
Selected Answer: AEF
A,E,F A+B = Wong and can't be combined together since the KEY with SSE-C is provided from the client and never stored in AWS
upvoted 1 times
...
Tofu13
2 years, 1 month ago
Selected Answer: ABF
jayai might be right about the options in the console, but SSE-C encryption is still possible. https://aws.amazon.com/about-aws/whats-new/2014/06/12/amazon-s3-now-supports-server-side-encryption-with-customer-provided-keys-sse-c/ "By using server-side encryption with customer-provided keys (SSE-C), you can store your own encryption keys." I think that this is what the phrase "all objects in the S3 bucket must be encrypted by a key that the company controls." points to. https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html Finally, here is the info that u cannot use the console: You cannot use the Amazon S3 console to upload an object and request SSE-C. You also cannot use the console to update (for example, change the storage class or add metadata) an existing object stored using SSE-C. https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html#specifying-s3-c-encryption
upvoted 2 times
...
Jimmy123
2 years, 5 months ago
Selected Answer: ABF
A, B and F are the steps that a security engineer should take to meet the company's new security requirements. A: Create a new customer-managed CMK in AWS Key Management Service (AWS KMS) to control the encryption key. B: Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided encryption keys (SSE-C) in order for the company to control the encryption keys. F: Change all the S3 objects in the bucket to use the new encryption key. C and D are not necessary as the PHP SDK does not need to use the SSE-S3 key to encrypt the data as the SSE-C will be used for encryption. E is not necessary as well as the company wants to control the encryption keys and not use AWS managed CMK for Amazon S3.
upvoted 2 times
...
jishrajesh
2 years, 6 months ago
AEF is correct
upvoted 1 times
...
Teknoklutz
2 years, 6 months ago
Selected Answer: AEF
In Option A - it says to create customer managed CMK and Option D talks about AWS Managed CMK......not the correct answers
upvoted 2 times
...
vikaswalajay
2 years, 9 months ago
ABEF i think answer mis typed, e should be aws managed which points definate answer to abf
upvoted 1 times
...
cloud_collector
2 years, 9 months ago
Base on new request is need a custome-managed encryption Between A & D , A is better, Between B & E, E is better. F is for appling new encryption. C is rule out
upvoted 1 times
...
Root_Access
2 years, 10 months ago
Selected Answer: AEF
https://aws.amazon.com/blogs/storage/changing-your-amazon-s3-encryption-from-s3-managed-encryption-sse-s3-to-aws-key-management-service-sse-kms/
upvoted 3 times
...
francisco_guerra
2 years, 10 months ago
B,C,F Tricky question I was reading about SSE-C So: A: contents must be encrypted using a key that the enterprise owns so we should import key? B: Yes check the link you can change the policy to accept SSE-C C: Yes in the link are examples using SDK with Java and .NET and PHP works too. D: No, enterprise own. E: No we are going to use SSE-C F: Yes its possible with the SDK https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html The Q do not say anything to that the keys that they have are in KMS
upvoted 1 times
captainpike
1 year, 11 months ago
For A: Yes, we should.
upvoted 1 times
...
...
dcasabona
2 years, 11 months ago
Selected Answer: ABF
Options A, B and F for me.
upvoted 1 times
...
sapien45
2 years, 11 months ago
Wording of the question is lame ... and I am not an english speaker. It makes you think that it is customer-provided encryption keys (SSE-C), but then you are forced to choose KMS in addition to SSE-C to offer three choices, but does not make any sense. AEF So fallback to Customer Managed KMS CMK
upvoted 2 times
...
slymenk
3 years, 1 month ago
Selected Answer: AEF
B is wrong cz you cant choose SSE-C in settings, you just provide it via api call C is wrong, cz it doesnt make sense SSE-S3 does not require change in the client D AWS managed CMK is not what is required
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...