ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 96 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 96
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A solutions architect needs to implement a client-side encryption mechanism for objects that will be stored in a new Amazon S3 bucket. The solutions architect created a CMK that is stored in AWS Key Management Service (AWS KMS) for this purpose.

The solutions architect created the following IAM policy and attached it to an IAM role:



During tests, the solutions architect was able to successfully get existing test objects in the S3 bucket. However, attempts to upload a new object resulted in an error message. The error message stated that the action was forbidden.

Which action must the solutions architect add to the IAM policy to meet all the requirements?

  • A. kms:GenerateDataKey
  • B. kms:GetKeyPolicy
  • C. kms:GetPublicKey
  • D. kms:Sign
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by masetromain at Jan. 15, 2023, 10:16 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
masetromain
Highly Voted 1 year, 9 months ago
Selected Answer: A
A. kms:GenerateDataKey The solutions architect needs to add the "kms:GenerateDataKey" action to the IAM policy in order to generate a data key for client-side encryption. Without this action, the IAM role does not have the necessary permissions to generate a data key, which causes the error message when attempting to upload a new object.
upvoted 15 times
masetromain
1 year, 9 months ago
The other options are not correct because they are not required for this use case. kms:GetKeyPolicy allows for the retrieval of the key policy for a CMK but it does not have any relation to client-side encryption of S3 objects, kms:GetPublicKey allows for the retrieval of the public key of a CMK, but it does not have any relation to client-side encryption of S3 objects and kms:Sign allows for signing a message using a CMK but it does not have any relation to client-side encryption of S3 objects.
upvoted 2 times
...
...
altonh
Most Recent 3 months, 3 weeks ago
Selected Answer: A
The answers don't make sense. The requirement is that it will be client-side encryption, which means the object is already encrypted when sent to S3. S3 will not do any encryption, so S3 does not need to access the KMS key,
upvoted 1 times
...
ninomfr64
9 months, 2 weeks ago
Selected Answer: A
A = correct (you encrypt data with KMS Data Key and not KMS Key directly, unless data is < 4K) B = getting the policy would allow to get the data key needed for encryption C = client side encryption uses symmetric key not asymmetric keys D = sign allows for signing messages, API calls, etc.
upvoted 3 times
...
career360guru
10 months, 2 weeks ago
Selected Answer: A
Option A
upvoted 1 times
...
NikkyDicky
1 year, 4 months ago
Selected Answer: A
A - need data key for client-side encr
upvoted 1 times
...
Jesuisleon
1 year, 5 months ago
I don't understand since it's client side encryption, it means both encryption and key and tools are maintained in client side before submitting to aws s3, why we need add kms:GenerateDatakey ? We don't need kms to do anything since it's client-side encryption all is done outside of aws.
upvoted 4 times
venvig
1 year, 2 months ago
When you want to do the client side encryption, your files are most likely above 4K in size. So, you would be performing envelope encryption. For that, you need a data key. You ask KMS to generate and give you the data key, supplying the kms CMK. KMS would generate a new data key, encrypt it with the CMK and return you both the encrypted and plain data key. AWS would never retain the data key; they will immediately discard it. You would now encrypt your data using the plain data key and immediately delete the plain data key (unencrypted). You store the encrypted data key that you got from KMS along with the encrypted data, which is then uploaded to s3. Note that AWS does NOT know about the data key at this point; only you know. KMS just holds the kms CMK that was used to encrypt the data key. So, you need access to KMS to decrypt the data key before using that decrypted data key to unencrypt your data. Similarly AWS cannot read your data, even though it has the KMS CMK and also the encrypted data key stored in s3. This is why you need the generateDataKey permission. Hope this helps.
upvoted 11 times
venvig
1 year, 2 months ago
Of course the answer is A
upvoted 1 times
...
...
bcx
1 year, 4 months ago
Indeed, the question says client side encryption but the answer is all about S3-KMS.
upvoted 2 times
...
...
mfsec
1 year, 7 months ago
Selected Answer: A
A for sure
upvoted 1 times
...
Untamables
1 year, 9 months ago
Selected Answer: A
https://docs.aws.amazon.com/kms/latest/cryptographic-details/client-side-encryption.html
upvoted 3 times
...
masssa
1 year, 9 months ago
Selected Answer: A
I Vote A. https://repost.aws/ja/knowledge-center/s3-large-file-encryption-kms-key Adding kms:GenerateDataKey is necessary.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago