ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 439 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 439
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company’s application runs on an Amazon EC2 instance and stores objects in an Amazon S3 bucket. The EC2 instance is using an instance profile that provides access to read and write objects in the S3 bucket. The S3 bucket contains objects and has not been configured for any encryption at rest. The company is adopting a new security policy that mandates encryption at rest for all S3 buckets, encryption at rest for all objects in S3 buckets, and key rotation once every year.

What should a security engineer do to meet these requirements?

  • A. Enable server-side encryption with Amazon S3 managed encryption keys (SSE-S3) for the S3 bucket. Configure annual automatic key rotation. Use an S3 Batch Operations job with the COPY command to change all the objects in the S3 bucket to use the SSE-S3 key. Configure the EC2 instance profile with permissions to use the SSE-S3 key. Configure S3 data events to encrypt an object during a write operation.
  • B. Create a new AWS Key Management Service (AWS KMS) customer managed key. Configure annual automatic key rotation. Enable server-side encryption with AWS KMS keys (SSE-KMS) for the S3 bucket. Add a bucket policy to the S3 bucket to enforce SSE-KMS encryption. Configure the EC2 instance profile with permissions to use the customer managed key.
  • C. Create a new AWS Key Management Service (AWS KMS) customer managed key. Configure annual automatic key rotation. Enable server-side encryption with AWS KMS keys (SSE-KMS) for the S3 bucket. Use an S3 Batch Operations job with the COPY command to change all the objects in the S3 bucket to use the customer managed key. Configure the EC2 instance profile with permissions to use the customer managed key.
  • D. Enable server-side encryption with Amazon S3 managed encryption keys (SSE-S3) for the S3 bucket. Configure annual automatic key rotation. Configure the EC2 instance profile with permissions to use the SSE-S3 key. Use the AWS CLI to copy the S3 objects in place by specifying the SSE-S3 key as the encryption key. Configure S3 data events to encrypt an object during a write operation.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by AdamWest at Nov. 23, 2022, 6:39 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AdamWest
Highly Voted 2 years, 8 months ago
C: As part of copying the objects, specify that S3 should encrypt the object with SSE-S3 or SSE-KMS encryption. This job copies the objects, so all your objects show an updated creation date upon completion, regardless of when you originally added them to S3. You also must specify the other properties for your set of objects as part of the S3 Batch Operations job, including object tags and storage class. https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/
upvoted 9 times
komik_101
2 years, 1 month ago
but question also sayin "encryption at rest for all objects in S3 buckets, and key rotation once every year." B, saying ok ı will do this. C doing this?
upvoted 1 times
...
...
komik_101
Most Recent 2 years, 1 month ago
I asked to BARD. he gave this awser. and I will say B. ME:are you sure this? some people saying answer is C. Sure, let's take a look at option C as well: C. Create a new AWS Key Management Service (AWS KMS) customer managed key. Configure annual automatic key rotation. Enable server-side encryption with AWS KMS keys (SSE-KMS) for the S3 bucket. Use an S3 Batch Operations job with the COPY command to change all the objects in the S3 bucket to use the customer managed key. Configure the EC2 instance profile with permissions to use the customer managed key. Option C is also a valid approach, but it does not meet the requirement for key rotation once every year. The S3 Batch Operations job will only encrypt the objects in the S3 bucket once, and the customer managed key will not be rotated until the next year. Option B, on the other hand, meets all of the requirements. The customer managed key will be rotated annually, which will help to mitigate the risk of unauthorized access to the data.
upvoted 1 times
francinetanzx
2 years, 1 month ago
Option B does not take into account existing objects in S3. Enabling default encryption does not change the encryption of existing objects in the same bucket - which means they will remain unencrypted whilst new uploads are encrypted. https://aws.amazon.com/blogs/storage/encrypting-existing-amazon-s3-objects-with-the-aws-cli/
upvoted 3 times
...
...
6_8ftwin
2 years, 2 months ago
C Answer B does not encrypt currently unencrypted objects. Also, once server side encryption is enabled, there isn't a need for a bucket policy to enforce encryption on new objects.
upvoted 3 times
...
OCHT
2 years, 2 months ago
Selected Answer: B
B. Create a new AWS Key Management Service (AWS KMS) customer managed key. Configure annual automatic key rotation. Enable server-side encryption with AWS KMS keys (SSE-KMS) for the S3 bucket. Add a bucket policy to the S3 bucket to enforce SSE-KMS encryption. Configure the EC2 instance profile with permissions to use the customer managed key. This option meets all the requirements stated in the question. By creating a new AWS KMS customer managed key and configuring annual key rotation, you address the encryption at rest and key rotation requirements. Enabling server-side encryption with SSE-KMS for the S3 bucket ensures that new objects are encrypted at rest. Adding a bucket policy to enforce SSE-KMS encryption will ensure all new objects uploaded to the bucket are encrypted. Finally, configuring the EC2 instance profile with permissions to use the customer managed key allows the application to read and write encrypted objects in the S3 bucket.
upvoted 1 times
...
jishrajesh
2 years, 7 months ago
Selected c
upvoted 1 times
...
tainh
2 years, 8 months ago
Selected Answer: C
C is correct
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel