Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 154 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 154
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company uses AWS Organizations to manage several AWS accounts. The company processes a large volume of sensitive data. The company uses a serverless approach to microservices. The company stores all the data in either Amazon S3 or Amazon DynamoDB. The company reads the data by using either AWS Lambda functions or container-based services that the company hosts on Amazon Elastic Kubernetes Service (Amazon EKS) on AWS Fargate.

The company must implement a solution to encrypt all the data at rest and enforce least privilege data access controls. The company creates an AWS Key Management Service (AWS KMS) customer managed key.

What should the company do next to meet these requirements?

  • A. Create a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoDB. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.
  • B. Create an IAM policy that denies the kms:Decrypt action for the key. Create a Lambda function than runs on a schedule to attach the policy to any new roles. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.
  • C. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.
  • D. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by aescudero51 at May 30, 2024, 12:42 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
PegasusForever
2 weeks, 6 days ago
Selected Answer: D The S3 bucket API does not support passing an explicity deny condition for unencrypted S3 bucket, it is allowed just at the object level, for that reason I am going with D.
upvoted 1 times
helloworldabc
15 hours, 1 minute ago
just C
upvoted 1 times
...
...
nischal77777
1 month ago
Selected Answer: C
Key Policy: The key policy limits the kms:Decrypt action to specific services, enforcing least privilege access, which is good practice. SCP to Deny Creation: The SCP would prevent the creation of any unencrypted S3 buckets and DynamoDB tables across the entire organization
upvoted 1 times
...
heatblur
1 month, 1 week ago
Answer is C because: 1. Allowing the kms:Decrypt action only for the specified services, enforcing encryption. 2. Creating an SCP to deny the creation of any unencrypted S3 buckets and DynamoDB tables. This approach ensures that all sensitive data is encrypted at rest using the customer-managed key, while still allowing the necessary access to the specified AWS services.
upvoted 2 times
...
xekiva3329
2 months, 3 weeks ago
Selected Answer: C
answer: C
upvoted 3 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel