ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 458 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 458
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company’s security engineer has configured a client account to capture AWS CloudTrail logs that are then sent to an Amazon S3 bucket. The S3 bucket that stores these CloudTrail logs has always been configured to use AWS Key Management Service (AWS KMS) with the default KMS key (aws/s3) for encryption. Recently, the company changed the key on the S3 bucket to a new KMS key.

Since the modification of the bucket key, the security engineer cannot retrieve new CloudTrail log files that are written to the S3 bucket. The security engineer receives the following error message: “An error occurred (AccessDenied) when calling the GetObject operation: Access Denied”.

Log files that were written to the S3 bucket before the bucket key was changed are still accessible. The company used the new KMS key to encrypt other S3 buckets, and the same error is occurring with those S3 buckets.

What is the MOST likely cause of this error?

  • A. The security engineer’s IAM user does not have encrypt and decrypt permissions for the new KMS key.
  • B. The security engineer’s IAM user does not have administrative permissions for the new KMS key.
  • C. The S3 bucket policy needs modification to allow users to access objects that are encrypted with the new KMS key.
  • D. The S3 bucket policy needs modification to allow the security engineer’s IAM user to access objects in the S3 bucket.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Teknoklutz at Nov. 28, 2022, 10:13 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
c73bf38
2 years, 1 month ago
encrypt and decrypt
upvoted 1 times
...
milofficial
2 years, 3 months ago
Selected Answer: A
C and D are ruled out because the problem applies to more than one S3 bucket. B is ruled out, to view files you only need de/encrypt permissions A is right
upvoted 3 times
...
kerar
2 years, 5 months ago
Selected Answer: A
When a new user or role needs to access the bucket data, one must grant permission on both KMS keys.
upvoted 4 times
...
D2
2 years, 5 months ago
Selected Answer: A
Answer A
upvoted 2 times
...
Teknoklutz
2 years, 5 months ago
Selected Answer: A
Need New KMS Key Access
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago