exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 45 discussion

A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots. The company uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt all Amazon Elastic Block Store (Amazon EBS) snapshots.
The company performs a gap analysis of its disaster recovery procedures and backup strategies. A security engineer needs to implement a solution so that the company can recover the EC2 instances if the AWS account is compromised and the EBS snapshots are deleted.
Which solution will meet this requirement?

  • A. Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Use lifecycle policies to move snapshots to the S3 Glacier Instant Retrieval storage class. Use S3 Object Lock to prevent deletion of the snapshots.
  • B. Use AWS Systems Manager to distribute a configuration that backs up all attached disks to Amazon S3.
  • C. Create a new AWS account that has limited privileges. Allow the new account to access the KMS key that encrypts the EBS snapshots. Copy the encrypted snapshots to the new account on a recurring basis.
  • D. Use AWS Backup to copy EBS snapshots to Amazon S3. Use S3 Object Lock to prevent deletion of the snapshots.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Olaunfazed
5 months, 2 weeks ago
Answer is D The best solution is to use AWS Backup. It allows you to copy EBS snapshots to Amazon S3 and provides built-in features like S3 Object Lock to prevent deletion of snapshots. By using AWS Backup, you can automate the process and ensure reliable disaster recovery even in case of account compromise
upvoted 3 times
lovekiller
1 month, 3 weeks ago
True, previously this was not an option but was a recent addition to AWS Backup. Source: https://aws.amazon.com/getting-started/hands-on/amazon-ebs-backup-and-restore-using-aws-backup/
upvoted 1 times
...
...
Raphaello
9 months, 2 weeks ago
Selected Answer: A
Option A seems very good solution to me! C is a fine solution, but why not A? What makes A less appealing than C?!!! In fact, using Glacier Vault Lock is the ONLY way to protect against data deletion, and even after moving snapshots/backups to a different account, Glacier Vault Lock would be required to protect against data deletion from the new account.
upvoted 1 times
Raphaello
9 months, 2 weeks ago
Sorry, that's the answer for a different question. -------------------------------------------------------------------------- For this one, C is the best option
upvoted 1 times
...
...
walter_white_008
9 months, 2 weeks ago
Selected Answer: C
C makes sense.
upvoted 1 times
...
Raphaello
10 months ago
Selected Answer: C
This is a bit vague. 1. If the fear to lose account A, and subsequently the encrypted snapshots, that would apply to KMS keys used for snapshot encryption. 2. A solution to backup the encrypted snapshots to a different account, B, has to include creating new KMS key in account B, and not just access to KMS key in account A, cause it is subject to the fear of being compromised as well. 3. Answer C is the only one that taking KMS key into consideration, even if not in an ideal way. I would go with C only for that fact, and it mentioned a new account.
upvoted 2 times
...
Th3Dud3
11 months ago
c. You can add a vault lock to your AWS Backup Vault. So no need to use S3 object lock.
upvoted 1 times
...
confusedyeti69
1 year ago
How compromise is compromised? You wouldn't have access to KMS if you choose C and your snapshots are in the same account if you choose D.
upvoted 1 times
Aamee
1 year ago
This statement in option C "Allow the new account to access the KMS key that encrypts the EBS snapshots" clearly means that when you're creating a new account for a backup solution, you also have the appropriate 'Access' to encrypt and decrypt the keys as well. That's why it's further said to copy out the encrypted snapshots in the new account too for performing any future decrypt operations. Hope it helps..
upvoted 1 times
confusedyeti69
12 months ago
If you store the snapshot in account B that is encrypted with account A's key, and then lose access to the key (compromised), would you still be able to use the snapshot?
upvoted 1 times
Daniel76
11 months, 1 week ago
The key is in the KMS and account B has access to it. if account A is gone, account B can still decrypt the snapshot, provided the account A did not have the right to delete this key in the KMS..
upvoted 1 times
...
...
...
...
Daniel76
1 year ago
Selected Answer: C
You cant use D because the snapshot can still be deleted even if under compliance mode, if the compromised AWS account is deleted. https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html
upvoted 2 times
...
but if the AWS account is compromised and they are worried about the AWS account being deleted...so it will lose the KMS key as well. It is a tricky question the S3 lock is not enough because you will lose the KMS keys.. but it should have a solution to copy the keys into the new account as well.
upvoted 1 times
Boul
8 months, 3 weeks ago
KMS is external to the accounts. It's either you have access to the service or not, regardless of the account.
upvoted 1 times
...
NoCrapEva
10 months ago
The question only says Account compromised (not deleted)... But the question specifically asks you "...to implement a solution so that the company can recover the EC2 instances" IF ..."the EBS snapshots are deleted" Therefore only Answer C will allow this
upvoted 1 times
...
...
AgboolaKun
1 year, 1 month ago
Selected Answer: C
C is the correct answer to me. New AWS account with limited privileges - prevents the account from being compromised Access to AWS KMS key - access to the key to decrypt data in the recovery account. Copy snapshots to the recovery account (new account) on a recurring basis - This could be using AWS Backup as well or any other services.
upvoted 2 times
...
pupsik
1 year, 1 month ago
Selected Answer: D
"Use S3 Object Lock to prevent deletion of the snapshots." makes this option vert viable, even if account gets compromised.
upvoted 2 times
bannium
1 year, 1 month ago
How I can export ebs Snapshot data to S3 bucket using AWS Backup?
upvoted 1 times
...
AgboolaKun
1 year, 1 month ago
The only concern I have with D is that there is no mention of how to access the AWS KMS CMK key used for the encryption of EBS snpshots. Therefore, I will go for C.
upvoted 2 times
confusedyeti69
1 year ago
It is creating a snapshot and storing it in S3 of the same account, there is no need for any KMS policy to be explicitly mention in the answer. But like another previous comment mentioned, it would be better to backup the keys as well if storing the backup snapshot in another account. I vote D as answer.
upvoted 1 times
...
...
...
100fold
1 year, 1 month ago
Selected Answer: C
Answer C. The wording is rearranged, but same answer selections. https://www.examtopics.com/discussions/amazon/view/69464-exam-aws-certified-security-specialty-topic-1-question-315/
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...