ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 447 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 447
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company is designing a solution to serve content from an Amazon CloudFront distribution that will have an Amazon S3 bucket as the origin. A security engineer needs to encrypt S3 data at rest with an AWS Key Management Service (KMS) customer managed key rather than with an S3 managed key. The solution must minimize operational overhead.

Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

  • A. Create the S3 bucket. Configure server-side encryption with a customer managed KMS key.
  • B. Create the S3 bucket. Configure server-side encryption with customer-provided encryption keys (SSE-C).
  • C. Create the CloudFront distribution. Use the S3 bucket as the origin. Configure the distribution to use an origin access identity (OAI).
  • D. Create the CloudFront distribution. Use the S3 bucket as the origin. Delete the origin access identity (OAI) configuration.
  • E. Configure the CloudFront distribution cache to encrypt data at rest by using the customer managed KMS key.
  • F. Create a Lambda@Edge function that runs for origin request events and reads from the S3 bucket by using the customer managed KMS key.
Show Suggested Answer Hide Answer
Suggested Answer: ADF 🗳️
by AdamWest at Dec. 3, 2022, 7:14 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Balki
Highly Voted 2 years, 5 months ago
Selected Answer: ADF
Tough question. Instead of exposing your S3 bucket publicly to allow CloudFront to download objects, it is best to keep your bucket private using CloudFront Origin Access Identity (OAI). OAI is a special CloudFront user that is associated with an S3 origin and given the necessary permissions to access to objects within the bucket. Currently, OAI only supports SSE-S3, which means customers cannot use SSE-KMS with OAI.
upvoted 18 times
...
wmp7039
Most Recent 1 year, 10 months ago
Selected Answer: ADF
ADF : https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/
upvoted 2 times
...
OCHT
1 year, 11 months ago
Selected Answer: ACF
ACF should be correct
upvoted 2 times
...
OCHT
2 years ago
Selected Answer: ACF
Option D is not selected since deleting the OAI configuration will expose the S3 content directly, which isn't ideal considering the security requirements.
upvoted 3 times
Tofu13
1 year, 11 months ago
It should be ADF since u cannot use OAI with KMS customer managed keys (see blog post posted by other users) With OAC it is now possible to use KMS. https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/
upvoted 1 times
...
...
jishrajesh
2 years, 4 months ago
Selected adf
upvoted 2 times
...
Teknoklutz
2 years, 4 months ago
Selected Answer: ADF
ADF should be answer
upvoted 2 times
...
ajajajaj
2 years, 5 months ago
Please don't give us this question because we won't use OAI anymore!! We can use OAC instead and don't need to worry how to manage KMS. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
upvoted 3 times
...
piter8111
2 years, 5 months ago
Selected Answer: ADF
https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/
upvoted 3 times
...
Teknoklutz
2 years, 5 months ago
Selected Answer: ADF
https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/
upvoted 2 times
...
tainh
2 years, 5 months ago
Selected Answer: ADF
i choose A,D,F https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/
upvoted 4 times
...
Wilson_S
2 years, 5 months ago
For the ability to decrypt, I am considering ADF after reading the following: https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/
upvoted 1 times
...
AdamWest
2 years, 5 months ago
Selected Answer: ADE
ADE - If your origin is an Amazon S3 bucket configured as a website endpoint, you must set it up with CloudFront as a custom origin. That means you can't use OAC (or OAI). However, you can restrict access to a custom origin by setting up custom headers and configuring the origin to require them.
upvoted 3 times
Phongsanth
2 years, 5 months ago
ADF guy Check with this link https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel