ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 507 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 507
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A security engineer configures Amazon S3 Cross-Region Replication (CRR) for all objects that are in an S3 bucket in the us-east-1 Region. Some objects in this S3 bucket use server-side encryption with AWS KMS keys (SSE-KMS) for encryption at rest. The security engineer creates a destination S3 bucket in the us-west-2 Region. The destination S3 bucket is in the same AWS account as the source S3 bucket.

The security engineer also creates a customer managed key in us-west-2 to encrypt objects at rest in the destination S3 bucket. The replication configuration is set to use the key in us-west-2 to encrypt objects in the destination S3 bucket. The security engineer has provided the S3 replication configuration with an IAM role to perform the replication in Amazon S3.

After a day, the security engineer notices that no encrypted objects from the source S3 bucket are replicated to the destination S3 bucket. However, all the unencrypted objects are replicated.

Which combination of steps should the security engineer take to remediate this issue? (Choose three.)

  • A. Change the replication configuration to use the key in us-east-1 to encrypt the objects that are in the destination S3 bucket.
  • B. Grant the IAM role the kms:Encrypt permission for the key in us-east-1 that encrypts source objects.
  • C. Grant the IAM role the s3:GetObjectVersionForReplication permission for objects that are in the source S3 bucket.
  • D. Grant the IAM role the kms:Decrypt permission for the key in us-east-1 that encrypts source objects.
  • E. Change the key policy of the key in us-east-1 to grant the kms:Decrypt permission to the security engineer’s IAM account.
  • F. Grant the IAM role the kms:Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket.
Show Suggested Answer Hide Answer
Suggested Answer: CDF 🗳️
by cloudenthusiast at June 4, 2023, 3:30 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
6_8ftwin
Highly Voted 1 year, 10 months ago
Selected Answer: CDF
s3:GetObjectVersionForReplication is required for object replication https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html#replication-kms-permissions
upvoted 7 times
...
Raphaello
Most Recent 1 year, 2 months ago
Selected Answer: CDF
CDF are the correct answer. - kms:Decrypt on KMS key in region of bucket 1 (source) - s3:GetObjectVersionForReplication on bucket 1 - kms:Encrypt on KMS key in region of bucket 2 (destination)
upvoted 1 times
...
rajkanch
1 year, 10 months ago
s3:GetObjectVersionForReplication action for source objects – This action allows Amazon S3 to replicate both unencrypted objects and objects created with server-side encryption by using SSE-S3, SSE-KMS, or DSSE-KMS. Note We recommend that you use the s3:GetObjectVersionForReplication action instead of the s3:GetObjectVersion action because s3:GetObjectVersionForReplication provides Amazon S3 with only the minimum permissions necessary for replication. In addition, the s3:GetObjectVersion action allows replication of unencrypted and SSE-S3-encrypted objects, but not of objects that are encrypted by using KMS keys (SSE-KMS or DSSE-KMS). kms:Decrypt and kms:Encrypt AWS KMS actions for the KMS keys You must grant kms:Decrypt permissions for the AWS KMS key that's used to decrypt the source object. You must grant kms:Encrypt permissions for the AWS KMS key that's used to encrypt the object replica.
upvoted 3 times
rajkanch
1 year, 10 months ago
Answer : CDF
upvoted 1 times
...
...
kuber2023
1 year, 10 months ago
Selected Answer: CDF
B doesn't make sense as replication role wont need to encrypt in source region. Sequence shud be decrypt (D), replicate (C) and finally encrypt (F).
upvoted 3 times
...
cloudenthusiast
1 year, 10 months ago
Selected Answer: BDF
B. Grant the IAM role the kms:Encrypt permission for the key in us-east-1 that encrypts source objects. By granting the IAM role the kms:Encrypt permission for the key in the source region (us-east-1), it allows the role to encrypt objects using the SSE-KMS key before replicating them. D. Grant the IAM role the kms:Decrypt permission for the key in us-east-1 that encrypts source objects. Since the objects in the source bucket are encrypted using SSE-KMS, the IAM role needs the kms:Decrypt permission for the key in us-east-1 to read and decrypt the source objects during the replication process. F. Grant the IAM role the kms:Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket. The replication configuration is set to use the key in us-west-2 to encrypt objects in the destination S3 bucket. Therefore, the IAM role needs the kms:Encrypt permission for the key in us-west-2 to encrypt the replicated objects in the destination bucket.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago