exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 154 discussion

A company uses AWS Organizations to manage several AWS accounts. The company processes a large volume of sensitive data. The company uses a serverless approach to microservices. The company stores all the data in either Amazon S3 or Amazon DynamoDB. The company reads the data by using either AWS Lambda functions or container-based services that the company hosts on Amazon Elastic Kubernetes Service (Amazon EKS) on AWS Fargate.

The company must implement a solution to encrypt all the data at rest and enforce least privilege data access controls. The company creates an AWS Key Management Service (AWS KMS) customer managed key.

What should the company do next to meet these requirements?

  • A. Create a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoDB. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.
  • B. Create an IAM policy that denies the kms:Decrypt action for the key. Create a Lambda function than runs on a schedule to attach the policy to any new roles. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.
  • C. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.
  • D. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
PegasusForever
3 months, 1 week ago
Selected Answer: D The S3 bucket API does not support passing an explicity deny condition for unencrypted S3 bucket, it is allowed just at the object level, for that reason I am going with D.
upvoted 1 times
helloworldabc
2 months, 2 weeks ago
just C
upvoted 1 times
...
...
nischal77777
3 months, 2 weeks ago
Selected Answer: C
Key Policy: The key policy limits the kms:Decrypt action to specific services, enforcing least privilege access, which is good practice. SCP to Deny Creation: The SCP would prevent the creation of any unencrypted S3 buckets and DynamoDB tables across the entire organization
upvoted 1 times
...
heatblur
3 months, 4 weeks ago
Answer is C because: 1. Allowing the kms:Decrypt action only for the specified services, enforcing encryption. 2. Creating an SCP to deny the creation of any unencrypted S3 buckets and DynamoDB tables. This approach ensures that all sensitive data is encrypted at rest using the customer-managed key, while still allowing the necessary access to the specified AWS services.
upvoted 2 times
...
xekiva3329
5 months, 2 weeks ago
Selected Answer: C
answer: C
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago