ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 163 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 163
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company is running an application that uses an Amazon ElastiCache for Redis cluster as a caching layer. A recent security audit revealed that the company has configured encryption at rest for ElastiCache. However, the company did not configure ElastiCache to use encryption in transit. Additionally, users can access the cache without authentication.

A solutions architect must make changes to require user authentication and to ensure that the company is using end-to-end encryption.

Which solution will meet these requirements?

  • A. Create an AUTH token. Store the token in AWS System Manager Parameter Store, as an encrypted parameter. Create a new cluster with AUTH, and configure encryption in transit. Update the application to retrieve the AUTH token from Parameter Store when necessary and to use the AUTH token for authentication.
  • B. Create an AUTH token. Store the token in AWS Secrets Manager. Configure the existing cluster to use the AUTH token, and configure encryption in transit. Update the application to retrieve the AUTH token from Secrets Manager when necessary and to use the AUTH token for authentication.
  • C. Create an SSL certificate. Store the certificate in AWS Secrets Manager. Create a new cluster, and configure encryption in transit. Update the application to retrieve the SSL certificate from Secrets Manager when necessary and to use the certificate for authentication.
  • D. Create an SSL certificate. Store the certificate in AWS Systems Manager Parameter Store, as an encrypted advanced parameter. Update the existing cluster to configure encryption in transit. Update the application to retrieve the SSL certificate from Parameter Store when necessary and to use the certificate for authentication.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by bititan at Feb. 2, 2023, 7:28 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
jimee11
1 month, 1 week ago
Selected Answer: B
Elasticache can be updated to support AUTH. Note: RBAC replaces AUTH now.
upvoted 1 times
...
zhen234
4 months, 2 weeks ago
Selected Answer: A
Encryption in transit cannot be enabled on an existing ElastiCache cluster. A new cluster must be created.
upvoted 2 times
...
d401c0d
4 months, 3 weeks ago
Selected Answer: B
Amazon ElastiCache for Redis now supports updates to encryption in transit on existing cluster resources. You can change the TLS configuration of your Redis clusters without re-building or re-provisioning them or impacting application availability. When enabling encryption in transit, your overall solution can remain connected to Redis clusters. To get started, upgrade your Redis cluster to version 7 or above. You can then modify the encryption-in-transit property for your cluster using the Elasticache Console, API or CLI. This feature is available in all regions at no additional cost. To learn more, see the ElastiCache user guide.
upvoted 2 times
...
kylix75
5 months ago
Selected Answer: A
The correct answer is A - Create an AUTH token, store it in Parameter Store, and create a new cluster with AUTH and in-transit encryption. Key reasons: ElastiCache doesn't allow enabling AUTH on existing clusters SSL certificates aren't used for Redis authentication Parameter Store is more cost-effective than Secrets Manager for this case Solution meets both requirements: AUTH authentication and end-to-end encryption
upvoted 1 times
...
TewatiaAmit
8 months ago
Selected Answer: A
A or B? Option B is suggesting to update the cluster which is not feasible. Once a cluster is created without encryption in transit, it cannot be modified to enable encryption in transit.
upvoted 1 times
...
Sin_Dan
8 months ago
Selected Answer: A
Enabling encryption in transit on an existing ElastiCache cluster that wasn’t originally configured with this feature is not possible. Encryption in transit, as well as encryption at rest, can only be specified at the time the cluster is created. AWS Documentation on Encryption in Transit: According to AWS ElastiCache documentation, if you want to enable encryption in transit, you must set this option when creating the ElastiCache cluster. Once a cluster is created without encryption in transit, it cannot be modified to enable this feature later. The same applies to Redis AUTH. Thus, if a Redis cluster was deployed without encryption in transit, the only way to enable it is to create a new ElastiCache cluster with this setting enabled. Then, the data would need to be migrated from the existing cluster to the new one.
upvoted 3 times
...
JoeTromundo
8 months, 2 weeks ago
Selected Answer: B
B=Better :-)
upvoted 1 times
...
ke1dy
1 year ago
Selected Answer: A
It seems to configure in-transit encryption in both new cluster and existing cluster, but updating is supported on Redis version 7 and later. So I will choose option A. https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#in-transit-encryption-constraints
upvoted 1 times
attila9778
6 months, 1 week ago
https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/in-transit-encryption.html#in-transit-encryption-constraints "Modifying the in-transit encryption setting, for an existing cluster, is supported on replication groups running Valkey 7.2 and later, and Redis OSS version 7 and later." => modifying is possible => so B
upvoted 1 times
...
helloworldabc
10 months ago
just B
upvoted 3 times
...
...
gofavad926
1 year, 3 months ago
Selected Answer: B
A or B? I didn't read any comparison between these 2 options... For sure we need an auth token. Both, using SSM Parameter Store or Secrets Manager will work. Both, create a new cluster or update the current one will work. I will choose B because this approach avoids the need to set up a new cluster, potentially reducing effort and costs associated with migration or duplication of resources...
upvoted 3 times
...
career360guru
1 year, 6 months ago
Selected Answer: B
Option B
upvoted 2 times
...
career360guru
1 year, 7 months ago
Selected Answer: B
Option B
upvoted 2 times
...
NikkyDicky
1 year, 11 months ago
Selected Answer: B
B, per redis docs. EC encr in transit is a config option
upvoted 2 times
...
easytoo
2 years ago
b-b-b-b-b-b-b Creating an AUTH token provides a form of authentication for accessing the ElastiCache cluster. Storing the AUTH token in AWS Secrets Manager ensures secure and centralized management of the token. Configuring the existing ElastiCache cluster to use the AUTH token enables authentication for accessing the cache. Enabling encryption in transit ensures that data is encrypted when it is transferred between the client and the ElastiCache cluster. Updating the application to retrieve the AUTH token from Secrets Manager and use it for authentication ensures that only authorized users can access the cache.
upvoted 4 times
...
mfsec
2 years, 2 months ago
Selected Answer: B
Create an AUTH token. Store the token in AWS Secrets Manager.
upvoted 1 times
...
God_Is_Love
2 years, 3 months ago
Selected Answer: B
Redis CLI has AUTH command as a feature to SET/ROTATE strategies https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth.html
upvoted 4 times
...
Zek
2 years, 3 months ago
B seems right. To enable authentication on an existing Redis server, call the ModifyReplicationGroup API operation. Call ModifyReplicationGroup with the --auth-token parameter as the new token and the --auth-token-update-strategy with the value ROTATE. After the modification is complete, the cluster supports the AUTH token specified in the auth-token parameter in addition to supporting connecting without authentication. Enabling authentication is only supported on Redis servers with encryption in transit (TLS) enabled. https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth.html
upvoted 3 times
...
spd
2 years, 4 months ago
Selected Answer: B
As per https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel