ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 45 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 45
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots. The company uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt all Amazon Elastic Block Store (Amazon EBS) snapshots.
The company performs a gap analysis of its disaster recovery procedures and backup strategies. A security engineer needs to implement a solution so that the company can recover the EC2 instances if the AWS account is compromised and the EBS snapshots are deleted.
Which solution will meet this requirement?

  • A. Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Use lifecycle policies to move snapshots to the S3 Glacier Instant Retrieval storage class. Use S3 Object Lock to prevent deletion of the snapshots.
  • B. Use AWS Systems Manager to distribute a configuration that backs up all attached disks to Amazon S3.
  • C. Create a new AWS account that has limited privileges. Allow the new account to access the KMS key that encrypts the EBS snapshots. Copy the encrypted snapshots to the new account on a recurring basis.
  • D. Use AWS Backup to copy EBS snapshots to Amazon S3. Use S3 Object Lock to prevent deletion of the snapshots.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by 100fold at Oct. 18, 2023, 2:55 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Olaunfazed
10 months, 1 week ago
Answer is D The best solution is to use AWS Backup. It allows you to copy EBS snapshots to Amazon S3 and provides built-in features like S3 Object Lock to prevent deletion of snapshots. By using AWS Backup, you can automate the process and ensure reliable disaster recovery even in case of account compromise
upvoted 3 times
urbanmonk
4 months, 1 week ago
As simplistic and plausible as Option D sounds, it is not the solution when you reread the question. REQUIREMENTS: "A security engineer needs to implement a solution so that the company can recover the EC2 instances if the AWS account is compromised and the EBS snapshots are deleted" The question explicitly asks about the solution given a scenario that the "account is compromised". Hence, you NEED a backup/new account to remedy the situation. Correct answer is C
upvoted 2 times
...
lovekiller
6 months, 2 weeks ago
True, previously this was not an option but was a recent addition to AWS Backup. Source: https://aws.amazon.com/getting-started/hands-on/amazon-ebs-backup-and-restore-using-aws-backup/
upvoted 1 times
...
...
Raphaello
1 year, 2 months ago
Selected Answer: A
Option A seems very good solution to me! C is a fine solution, but why not A? What makes A less appealing than C?!!! In fact, using Glacier Vault Lock is the ONLY way to protect against data deletion, and even after moving snapshots/backups to a different account, Glacier Vault Lock would be required to protect against data deletion from the new account.
upvoted 1 times
Raphaello
1 year, 2 months ago
Sorry, that's the answer for a different question. -------------------------------------------------------------------------- For this one, C is the best option
upvoted 1 times
...
...
walter_white_008
1 year, 2 months ago
Selected Answer: C
C makes sense.
upvoted 1 times
...
Raphaello
1 year, 2 months ago
Selected Answer: C
This is a bit vague. 1. If the fear to lose account A, and subsequently the encrypted snapshots, that would apply to KMS keys used for snapshot encryption. 2. A solution to backup the encrypted snapshots to a different account, B, has to include creating new KMS key in account B, and not just access to KMS key in account A, cause it is subject to the fear of being compromised as well. 3. Answer C is the only one that taking KMS key into consideration, even if not in an ideal way. I would go with C only for that fact, and it mentioned a new account.
upvoted 2 times
...
Th3Dud3
1 year, 3 months ago
c. You can add a vault lock to your AWS Backup Vault. So no need to use S3 object lock.
upvoted 1 times
...
confusedyeti69
1 year, 4 months ago
How compromise is compromised? You wouldn't have access to KMS if you choose C and your snapshots are in the same account if you choose D.
upvoted 1 times
Aamee
1 year, 4 months ago
This statement in option C "Allow the new account to access the KMS key that encrypts the EBS snapshots" clearly means that when you're creating a new account for a backup solution, you also have the appropriate 'Access' to encrypt and decrypt the keys as well. That's why it's further said to copy out the encrypted snapshots in the new account too for performing any future decrypt operations. Hope it helps..
upvoted 1 times
confusedyeti69
1 year, 4 months ago
If you store the snapshot in account B that is encrypted with account A's key, and then lose access to the key (compromised), would you still be able to use the snapshot?
upvoted 1 times
Daniel76
1 year, 3 months ago
The key is in the KMS and account B has access to it. if account A is gone, account B can still decrypt the snapshot, provided the account A did not have the right to delete this key in the KMS..
upvoted 1 times
...
...
...
...
Daniel76
1 year, 4 months ago
Selected Answer: C
You cant use D because the snapshot can still be deleted even if under compliance mode, if the compromised AWS account is deleted. https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html
upvoted 2 times
...
awssecuritynewbie
1 year, 5 months ago
but if the AWS account is compromised and they are worried about the AWS account being deleted...so it will lose the KMS key as well. It is a tricky question the S3 lock is not enough because you will lose the KMS keys.. but it should have a solution to copy the keys into the new account as well.
upvoted 1 times
Boul
1 year, 1 month ago
KMS is external to the accounts. It's either you have access to the service or not, regardless of the account.
upvoted 1 times
...
NoCrapEva
1 year, 2 months ago
The question only says Account compromised (not deleted)... But the question specifically asks you "...to implement a solution so that the company can recover the EC2 instances" IF ..."the EBS snapshots are deleted" Therefore only Answer C will allow this
upvoted 1 times
...
...
AgboolaKun
1 year, 5 months ago
Selected Answer: C
C is the correct answer to me. New AWS account with limited privileges - prevents the account from being compromised Access to AWS KMS key - access to the key to decrypt data in the recovery account. Copy snapshots to the recovery account (new account) on a recurring basis - This could be using AWS Backup as well or any other services.
upvoted 2 times
...
pupsik
1 year, 6 months ago
Selected Answer: D
"Use S3 Object Lock to prevent deletion of the snapshots." makes this option vert viable, even if account gets compromised.
upvoted 2 times
bannium
1 year, 5 months ago
How I can export ebs Snapshot data to S3 bucket using AWS Backup?
upvoted 1 times
...
AgboolaKun
1 year, 5 months ago
The only concern I have with D is that there is no mention of how to access the AWS KMS CMK key used for the encryption of EBS snpshots. Therefore, I will go for C.
upvoted 2 times
confusedyeti69
1 year, 4 months ago
It is creating a snapshot and storing it in S3 of the same account, there is no need for any KMS policy to be explicitly mention in the answer. But like another previous comment mentioned, it would be better to backup the keys as well if storing the backup snapshot in another account. I vote D as answer.
upvoted 1 times
...
...
...
100fold
1 year, 6 months ago
Selected Answer: C
Answer C. The wording is rearranged, but same answer selections. https://www.examtopics.com/discussions/amazon/view/69464-exam-aws-certified-security-specialty-topic-1-question-315/
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago