exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 137 discussion

A company runs workloads in the us-east-1 Region. The company has never deployed resources to other AWS Regions and does not have any multi-Region resources. The company needs to replicate its workloads and infrastructure to the us-west-1 Region.

A security engineer must implement a solution that uses AWS Secrets Manager to store secrets in both Regions. The solution must use AWS Key Management Service (AWS KMS) to encrypt the secrets. The solution must minimize latency and must be able to work if only one Region is available.

The security engineer uses Secrets Manager to create the secrets in us-east-1.

What should the security engineer do next to meet the requirements?

  • A. Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using a new AWS managed KMS key in us-west-1.
  • B. Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.
  • C. Encrypt the secrets in us-east-1 by using a customer managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.
  • D. Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using the customer managed KMS key from us-east-1.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
5409b91
Highly Voted 6 months, 2 weeks ago
Selected Answer: D
D. Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using the customer managed KMS key from us-east-1. Customer Managed KMS Key: Encrypting secrets in us-east-1 with a customer managed KMS key allows greater control over key rotation policies and permissions, ensuring higher security and compliance. Replication of secrets to us-west-1: Replicating the secrets to us-west-1 ensures that the secrets are available in both regions, meeting the requirement to function even if only one region is available. Using the same customer managed KMS key in us-west-1: Encrypting the secrets in us-west-1 using the KMS key from us-east-1 ensures consistency in encryption and secret management across regions. Additionally, this can help minimize latency, as the same key is used for both regions, making the replication process more efficient.
upvoted 9 times
...
klumzy
Most Recent 2 months, 2 weeks ago
A . KMS has regional service.
upvoted 1 times
...
jamesf
3 months, 1 week ago
Selected Answer: D
I go for D Not option A because separate keys, "Encrypt the secrets in us-west-1 by using a new AWS managed KMS key in us-west-1"
upvoted 1 times
...
FunkyFresco
3 months, 1 week ago
Selected Answer: A
Option A is the right one.
upvoted 1 times
helloworldabc
2 months, 2 weeks ago
just D
upvoted 1 times
...
...
HunkyBunky
3 months, 2 weeks ago
Selected Answer: A
I guess A - becuase solution must work even if us-east-1 will-be unavaliable, so we must use encryption key from us-west-1 too
upvoted 1 times
HunkyBunky
3 months, 2 weeks ago
Also, AWS Secret manager expects that KMS key should be in a relica region. So we can go only with - A https://docs.aws.amazon.com/secretsmanager/latest/userguide/replicate-secrets.html
upvoted 1 times
...
...
Arad
5 months, 1 week ago
Selected Answer: A
A is correct, the key point is availability is case one region is down.
upvoted 3 times
...
cumzle_com
5 months, 2 weeks ago
Selected Answer: D
Secrets are replicated to both regions, minimizing latency and ensuring availability. Using the same KMS key ensures consistent access control and simplifies management.
upvoted 2 times
...
aescudero51
6 months ago
Selected Answer: B
My answer is B Encrypt the secrets in us-east-1 by using an AWS managed KMS key: Create an AWS managed KMS key in the us-east-1 Region. This key will be used to encrypt the secrets in both Regions. Use this key to encrypt the secrets in us-east-1. Replicate the secrets to us-west-1: Use the AWS Secrets Manager to replicate the encrypted secrets from us-east-1 to us-west-1. This ensures that the same secrets are available in both Regions. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1: Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1 to retrieve the encrypted secrets. This allows the resources in us-west-1 to access the secrets without having to replicate the secrets to us-west-1.
upvoted 1 times
...
grekh001
6 months, 1 week ago
A. "The solution must minimize latency and must be able to work if only one Region is available." A is the only solution that can work if one region is down.
upvoted 2 times
...
Certified101
6 months, 2 weeks ago
Selected Answer: A
A is correct
upvoted 3 times
...
Nash101
6 months, 2 weeks ago
D A. Separate KMS Keys: Using separate managed KMS keys per Region creates a dependency on both Regions being available for decryption. If only one Region is accessible, the other Region's key wouldn't be usable. B & C. Secrets Manager Endpoint in us-east-1: These options rely on resources in us-west-1 calling the Secrets Manager endpoint in us-east-1. This introduces a single point of failure in us-east-1 and wouldn't achieve the desired redundancy and availability if us-east-1 becomes unavailable
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...