ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 793 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 793
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company has a mobile app for customers. The app’s data is sensitive and must be encrypted at rest. The company uses AWS Key Management Service (AWS KMS).

The company needs a solution that prevents the accidental deletion of KMS keys. The solution must use Amazon Simple Notification Service (Amazon SNS) to send an email notification to administrators when a user attempts to delete a KMS key.

Which solution will meet these requirements with the LEAST operational overhead?

  • A. Create an Amazon EventBridge rule that reacts when a user tries to delete a KMS key. Configure an AWS Config rule that cancels any deletion of a KMS key. Add the AWS Config rule as a target of the EventBridge rule. Create an SNS topic that notifies the administrators.
  • B. Create an AWS Lambda function that has custom logic to prevent KMS key deletion. Create an Amazon CloudWatch alarm that is activated when a user tries to delete a KMS key. Create an Amazon EventBridge rule that invokes the Lambda function when the DeleteKey operation is performed. Create an SNS topic. Configure the EventBridge rule to publish an SNS message that notifies the administrators.
  • C. Create an Amazon EventBridge rule that reacts when the KMS DeleteKey operation is performed. Configure the rule to initiate an AWS Systems Manager Automation runbook. Configure the runbook to cancel the deletion of the KMS key. Create an SNS topic. Configure the EventBridge rule to publish an SNS message that notifies the administrators.
  • D. Create an AWS CloudTrail trail. Configure the trail to deliver logs to a new Amazon CloudWatch log group. Create a CloudWatch alarm based on the metric filter for the CloudWatch log group. Configure the alarm to use Amazon SNS to notify the administrators when the KMS DeleteKey operation is performed.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Andy_09 at Feb. 6, 2024, 8:55 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Andy_09
Highly Voted 1 year, 1 month ago
Option C https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-and-remediate-scheduled-deletion-of-aws-kms-keys.html
upvoted 14 times
...
hajra313
Highly Voted 1 year, 1 month ago
option c bcz Option C emerges as the clear winner due to its: Direct event monitoring for the DeleteKey operation Pre-built automation using Systems Manager Automation runbooks Efficient notification via Amazon SNS Minimal code development and operational overhead Reduced risk of accidental deletion with faster response times
upvoted 10 times
...
FlyingHawk
Most Recent 2 months ago
Selected Answer: C
A- AWS config is for detection, not for prevention, it cannot cancel the deletion. B is more effort to implement the custom logic to prevent KMS key deletion. C is correct to use EventBridge rule to detect it then config the rule to use AWS System Manager Automation rubook to cancel the deletion and publish the event to SNS. D - does not have action for prevent the deletion of key.
upvoted 2 times
...
JA2018
4 months ago
Selected Answer: C
Option C provides the most streamlined solution with minimal additional components needed (LEAST operational overhead). It directly leverages EventBridge to monitor for KMS key deletion attempts, triggers a Systems Manager Automation runbook to automatically prevent the deletion, and sends notifications through SNS without requiring additional Lambda functions or complex CloudWatch metric filtering.
upvoted 1 times
...
MatAlves
6 months, 1 week ago
Selected Answer: C
"Deletion of an AWS KMS key is scheduled. The scheduled-deletion event is evaluated by an EventBridge rule. The EventBridge rule engages the Amazon SNS topic. The EventBridge rule initiates the Systems Manager automation and runbooks. The runbooks cancel the deletion." https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-and-remediate-scheduled-deletion-of-aws-kms-keys.html
upvoted 2 times
...
JunsK1e
8 months, 3 weeks ago
Selected Answer: C
I agree with andy_09
upvoted 2 times
...
Dammy031
9 months, 1 week ago
Selected Answer: D
Cloud trail helps to keep all invoked API calls in the AWS account which can trail back to the delete call made by a user CloudWatch triggers an alarm when deletion is attempted. SNS sends a notification to the administration about the attempt made. All these met the requirement of the question.
upvoted 2 times
...
sandordini
11 months, 1 week ago
Selected Answer: C
My educated guess was C. Now, reading the comments, from Hajrá313 and knben I feel confident as well :)
upvoted 3 times
...
camps
1 year ago
It's D https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-creating-cloudwatch-alarm.html https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-creating-cloudwatch-alarm.html#cloudwatch-alarm-prerequisites
upvoted 2 times
Salilgen
2 months, 3 weeks ago
This procedures create an alarm that notifies you when someone in your account tries to use a KMS key that is pending deletion. It does't notify you when a user attempts to delete a KMS key or even prevent deletion of the key
upvoted 1 times
...
...
1dd
1 year ago
C as it " cancel the deletion of the KMS key"
upvoted 2 times
...
knben
1 year, 1 month ago
I would go with C A -> Config is for compliance B -> No lambda is required, too much complexity C -> It achieves the goal, since KMS keys are not immediately deleted, which gives time to automation to cancel the action D -> Cloudtrail is for auditing
upvoted 4 times
...
NayeraB
1 year, 1 month ago
Selected Answer: C
I agree with hajra313
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago