ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified SysOps Administrator - Associate All Questions

View all questions & answers for the AWS Certified SysOps Administrator - Associate exam
Go to Exam

Exam AWS Certified SysOps Administrator - Associate topic 1 question 209 discussion

Exam question from Amazon's AWS Certified SysOps Administrator - Associate
Question #: 209
Topic #: 1
[All AWS Certified SysOps Administrator - Associate Questions]

A company needs to deploy a new workload on AWS. The company must encrypt all data at rest and must rotate the encryption keys once each year. The workload uses an Amazon RDS for MySQL Multi-AZ database for data storage.

Which configuration approach will meet these requirements?

  • A. Enable Transparent Data Encryption (TDE) in the MySQL configuration file. Manually rotate the key every 12 months.
  • B. Enable RDS encryption on the database at creation time by using the AWS managed key for Amazon RDS.
  • C. Create a new AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Enable RDS encryption on the database at creation time by using the KMS key.
  • D. Create a new AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the RDS DB instance.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by michaldavid at Dec. 13, 2022, 12:57 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kaka321
1 month ago
Selected Answer: B
Just to let us know b is straight forward with no cost implication.
upvoted 1 times
...
kaka321
1 month ago
Selected Answer: B
I know aws secret manager is used for database key rotation and not kms. Specifically for ads and redis
upvoted 1 times
...
Rado_Piatek
2 months, 2 weeks ago
Selected Answer: C
Both B and C are valid option, if the question was to choose the least effort option i would go with B, but C seems more rational in this case. AWS managed keys rotate automatically so you don't to enable rotation additionally, in fact you cannot change it to NOT rotate.
upvoted 1 times
...
TareDHakim
1 year, 1 month ago
Selected Answer: B
B is easiest! Why would you choose C, a custom key with management overhead when you can just have AWS encrypt and rotate the key using default Encryption settings?
upvoted 2 times
confusedyeti69
11 months, 2 weeks ago
B doesn't say "Enable automatic key rotation".
upvoted 5 times
...
...
Christina666
1 year, 6 months ago
Selected Answer: C
Automatic key rotation is supported only on symmetric encryption KMS keys. You cannot enable automatic rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key.
upvoted 4 times
...
CodePoet
2 years, 1 month ago
Selected Answer: C
Obviously C
upvoted 2 times
...
michaldavid
2 years, 2 months ago
Selected Answer: C
Agree with C
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel