ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 219 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 219
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A security engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled.

While testing the solution, the security engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

  • A. The log files fail integrity validation and automatically are marked as unavailable.
  • B. The KMS key policy does not grant the security engineer’s IAM user or role permissions to decrypt with it.
  • C. The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
  • D. An IAM policy applicable to the security engineer’s IAM user or role denies access to the “CloudTrail/” prefix in the Amazon S3 bucket.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Pmktechno at Dec. 29, 2024, 5:59 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
molerowan
2 days, 20 hours ago
Selected Answer: B
Log Files (SSE-KMS): Logs are encrypted using a KMS key. To decrypt them, the security engineer’s IAM role/user must have kms:Decrypt permissions in the KMS key policy. If the key policy lacks these permissions, the engineer cannot decrypt the logs, even if they have S3 GetObject access. Digest Files (SSE-S3 by Default): Digest files inherit the S3 bucket’s default encryption, which is often SSE-S3 (AWS-managed keys) unless explicitly configured otherwise. SSE-S3 does not require KMS permissions, allowing the engineer to read digest files with standard S3 GetObject access.
upvoted 1 times
molerowan
2 days, 20 hours ago
A: Failed integrity validation would not render logs unreadable—only flagged for tampering. C: The logs are explicitly encrypted with SSE-KMS, so bucket defaults do not override trail settings. D: If an IAM policy blocked the log path, the engineer couldn’t access digests either if they shared the same prefix.
upvoted 1 times
...
...
Pmktechno
2 months, 2 weeks ago
Selected Answer: B
KMS Key Policy Permissions: If the KMS key policy does not explicitly grant the necessary decrypt permissions to the security engineer's IAM user or role, they will not be able to read the encrypted log files. This is a common issue when dealing with SSE-KMS encryption. Digest Files: These files are not encrypted with the KMS key, which is why they are readable even if the log files are not. To resolve this, the security engineer should ensure that the KMS key policy includes the appropriate permissions for their IAM user or role to decrypt the log files.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago