exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 696 discussion

A company needs to provide customers with secure access to its data. The company processes customer data and stores the results in an Amazon S3 bucket.

All the data is subject to strong regulations and security requirements. The data must be encrypted at rest. Each customer must be able to access only their data from their AWS account. Company employees must not be able to access the data.

Which solution will meet these requirements?

  • A. Provision an AWS Certificate Manager (ACM) certificate for each customer. Encrypt the data client-side. In the private certificate policy, deny access to the certificate for all principals except an IAM role that the customer provides.
  • B. Provision a separate AWS Key Management Service (AWS KMS) key for each customer. Encrypt the data server-side. In the S3 bucket policy, deny decryption of data for all principals except an IAM role that the customer provides.
  • C. Provision a separate AWS Key Management Service (AWS KMS) key for each customer. Encrypt the data server-side. In each KMS key policy, deny decryption of data for all principals except an IAM role that the customer provides.
  • D. Provision an AWS Certificate Manager (ACM) certificate for each customer. Encrypt the data client-side. In the public certificate policy, deny access to the certificate for all principals except an IAM role that the customer provides.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
tch
3 weeks, 1 day ago
Selected Answer: C
A key policy is a resource policy for an AWS KMS key. Key policies are the primary way to control access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it.
upvoted 1 times
tch
3 weeks, 1 day ago
You can also use IAM policies and grants to control access to the KMS key, but every KMS key must have a key policy. https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
upvoted 1 times
...
...
LeonSauveterre
3 months, 2 weeks ago
Selected Answer: B
ACM certificates are for securing communication (e.g., HTTPS/SSL), not for encrypting data at rest in S3. A and D are out. Between B and C, they both create a separate key for each customer, and both work. So which is more cumbersome, managing S3 policies or managing KMS key policies? Of course the latter one. In B, S3 bucket policy centralizes access rules for all keys, while in C, policies are distributed across individual keys. That's why I decide to choose B.
upvoted 2 times
...
RC6
9 months, 3 weeks ago
Selected Answer: C
C looks correct
upvoted 2 times
...
BBR01
11 months ago
Selected Answer: C
Actually I think neither B or C is correctly worded. If talking about key policy, should be "Modify the key's policy to grant the IAM user permissions for the kms:GenerateDataKey and kms:Decrypt actions at minimum." If talking about bucket policy, should be "Deny GetObjects of particular customer without condition kms key equals 1234abcd...."
upvoted 4 times
...
mohammadthainat
1 year ago
Selected Answer: C
Encryption at rest --> KMS Each customer must be able to access only their data --> KMS Key Policies
upvoted 4 times
LeonSauveterre
3 months, 2 weeks ago
Each customer must be able to access only their data --> Deny decryption of data for all principals except an IAM role that the customer provides. This doesn't necessarily have to be KMS key policies. B & C both work in this scenario.
upvoted 3 times
...
...
Neung983
1 year ago
Selected Answer: B
B. Here's why this option is the best fit: Server-Side Encryption: Encrypting data server-side with KMS ensures encryption happens transparently within AWS, eliminating the need for complex client-side management and potential security risks associated with user-managed keys. Customer-Specific Keys: Utilizing separate KMS keys for each customer provides granular access control and encryption isolation. Each customer can only decrypt their data using their specific KMS key. S3 Bucket Policy: By denying decryption permissions for all principals except the dedicated customer IAM role in the S3 bucket policy, unauthorized access, even from company employees, is prevented. This aligns with the requirement of customer-specific data access.
upvoted 3 times
...
Cali182
1 year, 1 month ago
Selected Answer: C
Option C From Chapt Option A is incorrect because using ACM certificates is typically for establishing secure communication over HTTPS and doesn't directly relate to encrypting data at rest in S3. Option B is incorrect because while it suggests using AWS KMS keys for encryption, it mentions using S3 bucket policies for access control, which would not be appropriate for controlling decryption permissions. Option D is incorrect because it suggests using ACM certificates for client-side encryption, which is not typically used for encrypting data at rest in S3, and the approach described would not effectively control access to the encrypted data.
upvoted 4 times
...
Andy_09
1 year, 1 month ago
Correct answer should be C
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago