ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Developer Associate All Questions

View all questions & answers for the AWS Certified Developer Associate exam
Go to Exam

Exam AWS Certified Developer Associate topic 1 question 45 discussion

Exam question from Amazon's AWS Certified Developer Associate
Question #: 45
Topic #: 1
[All AWS Certified Developer Associate Questions]

A Development team is working on a case management solution that allows medical claims to be processed and reviewed. Users log in to provide information related to their medical and financial situations.
As part of the application, sensitive documents such as medical records, medical imaging, bank statements, and receipts are uploaded to Amazon S3. All documents must be securely transmitted and stored. All access to the documents must be recorded for auditing.
What is the MOST secure approach?

  • A. Use S3 default encryption using Advanced Encryption Standard-256 (AES-256) on the destination bucket.
  • B. Use Amazon Cognito for authorization and authentication to ensure the security of the application and documents.
  • C. Use AWS Lambda to encrypt and decrypt objects as they are placed into the S3 bucket.
  • D. Use client-side encryption/decryption with Amazon S3 and AWS KMS.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by ryopi614 at Dec. 9, 2019, 3:44 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
rajupselenium
Highly Voted 3 years, 6 months ago
D. is Correct. Use client-side encryption/decryption with Amazon S3 and AWS KMS. Keywords: Auditing is required, AWS KMS has auditing capability. and has to be Client Side Encryption for securely transmitting.
upvoted 36 times
newme
3 years, 6 months ago
SSE-S3 uses AWS-managed KMS. AWS-managed KMS doesn't have auditing capability? Or just we can't see it?
upvoted 2 times
BiswaGB
3 years, 6 months ago
I got this: "AWS CloudTrail gives you the ability to audit the use of your keys to support your regulatory and compliance activities." in link: https://aws.amazon.com/kms/faqs/
upvoted 2 times
...
...
...
FHU
Highly Voted 3 years, 6 months ago
I would go with (D) because the goal of the question is security related. Take a look at S3 FAQ: https://aws.amazon.com/s3/faqs/?nc1=h_ls. In the Security topic, it is possible to see that encryption with SSE-KMS provides improved auditing compared to other options.
upvoted 8 times
...
sumanshu
Most Recent 4 months, 1 week ago
Selected Answer: D
A) Eliminated - While S3 default encryption (AES-256) provides server-side encryption of objects at rest, it does not ensure encryption during transmission
upvoted 1 times
sumanshu
4 months, 1 week ago
D) Correct - Client-side encryption using AWS KMS provides strong encryption during both transmission and storage,
upvoted 1 times
...
...
AsmaZoheb
1 year, 3 months ago
Selected Answer: D
for sure D
upvoted 1 times
...
rcaliandro
1 year, 10 months ago
Selected Answer: D
D is the correct one in my opinion. It is much better and secure to encrypt client-side using a key stored in KMS, rather than use S3 default encryption or write the algorithm in Lambda. This will avoid interception of sensitive data when they are send to the bucket
upvoted 1 times
...
qiaoli
2 years, 1 month ago
I have one concern regards to D. Handling client-side encryption/decryption means the client-side need access to the key (e.g. KMS key). Based on the scenario, it looks like an application used by a lot of users to upload the medical documents. My concern is, how to make sure the key is secure at the client side (e.g. javascript in a web app)? Also is using https not enough to ensure security in transmission?
upvoted 3 times
Hemu0711
1 year, 3 months ago
was wondering the same
upvoted 1 times
...
AsmaZoheb
1 year, 3 months ago
S3 default encryption with AES-256 will ensure that data stored in S3 is encrypted at rest, it won't address the requirement for client-side encryption, which aims to encrypt data before it even reaches S3. Client-side encryption is often used when you want to maintain control over the encryption keys and ensure that data remains encrypted throughout its entire journey, including transmission and storage. A is a good practice for data at rest, it does not fully satisfy the scenario's requirements for both secure transmission and storage, as client-side encryption would. Use client-side encryption/decryption with Amazon S3 and AWS KMS") provides a more comprehensive approach by addressing both data transmission and storage with the added benefit of key control on the client side.
upvoted 1 times
...
...
ogwu2000
2 years, 2 months ago
C: The developer must perform client-side encryption using lambda, transmit then decrypt using lambda before finally writing it to S3
upvoted 1 times
ogwu2000
2 years, 2 months ago
Use S3 access log for auditing. A is wrong as data has to be transmitted in transit. D is wrong as you cant combine client-side encryption/decryption with KMS on S3, How and where will the decryption happen ?
upvoted 1 times
captainpike
2 years, 1 month ago
On the client side. So the idea is get the key from KMS, encrypt and then save to S3 as here https://docs.aws.amazon.com/kms/latest/cryptographic-details/client-side-encryption.html
upvoted 1 times
...
...
...
ShriniW
2 years, 2 months ago
SSE-KMS lets AWS Key Management Service (AWS KMS) manage your encryption keys. Using AWS KMS to manage your keys provides several additional benefits. With AWS KMS, there are separate permissions for the use of the KMS key, providing an additional layer of control and protection against unauthorized access to your objects stored in Amazon S3. AWS KMS provides an audit trail so you can see who used your key to access which object and when, as well as view failed attempts to access data from users without permission to decrypt the data. Also, AWS KMS provides additional security controls to support customer efforts to comply with PCI-DSS, HIPAA/HITECH, and FedRAMP industry requirements https://aws.amazon.com/s3/faqs/?nc1=h_ls. Should Be D only
upvoted 2 times
ninomfr64
1 year, 8 months ago
But SSE-KMS is NOT client side encryption, it actually is client-side encryption that means you have your client app to encrypt data before sending and decrypting once received.
upvoted 1 times
...
...
ayoubmk
2 years, 3 months ago
Documents should securely transmitting ==> Client side encryption AWS KMS has the ability to audit : https://docs.aws.amazon.com/kms/latest/developerguide/security-logging-monitoring.html ==> D is the best choose
upvoted 1 times
...
dark_cherrymon
2 years, 5 months ago
Selected Answer: D
D, it needs to be encrypted in transit
upvoted 5 times
...
Arnaud92
2 years, 6 months ago
Selected Answer: D
D is correct
upvoted 2 times
...
jaimitom94
2 years, 10 months ago
Selected Answer: D
D. is Correct. Use client-side encryption/decryption with Amazon S3 and AWS KMS.
upvoted 2 times
...
MikeyJ
2 years, 11 months ago
Selected Answer: A
I think part of the question/answer is missing. I think it's supposed to be A, as S3 allows strong encryption and access logging, which would answer both requirements in the question. But I still think the question itself is wrong, as they would surely list CloudTrail in one of the answers. https://docs.aws.amazon.com/AmazonS3/latest/userguide/LogFormat.html https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html
upvoted 1 times
dark_cherrymon
2 years, 5 months ago
it needs to be encrypted in transit so it's D
upvoted 1 times
...
...
Asim17
2 years, 11 months ago
D is correct because All papers must be sent and kept securely.
upvoted 1 times
...
w2000w
3 years ago
Selected Answer: D
Which technique is the MOST SECURE? Double encryption: at the client side AND at Amazon S3 using KMS https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html Therefore, the answer is D. D. Use client-side encryption/decryption with Amazon S3 and AWS KMS.
upvoted 2 times
w2000w
2 years, 12 months ago
It is not double encryption, it is just plain client side encryption with a AWS KMS key https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-emrfs-encryption-cse.html
upvoted 1 times
...
...
netk
3 years, 2 months ago
Selected Answer: C
C is my answer.
upvoted 1 times
netk
3 years, 2 months ago
Sorry, D.
upvoted 3 times
...
...
JP_PA
3 years, 2 months ago
Selected Answer: D
ANS: D
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago