Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 33 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 33
Topic #: 1
[All AWS Certified Security - Specialty Questions]

An application has a requirement to be resilient across not only Availability Zones within the application's primary region but also be available within another region altogether.
Which of the following supports this requirement for AWS resources that are encrypted by AWS KMS?

  • A. Copy the application's AWS KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region.
  • B. Configure AWS KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region.
  • C. Use AWS services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region's CMK can decrypt the database encryption key.
  • D. Configure the target region's AWS service to communicate with the source region's AWS KMS so that it can decrypt the resource in the target region.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Wpcorgan at Aug. 25, 2019, 4:32 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
Wpcorgan
Highly Voted 3 years, 1 month ago
C is Correct
upvoted 18 times
ceeee
2 years, 1 month ago
No it's B. KMS can synchronise keys in multi region now https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
upvoted 9 times
kujin
1 year, 7 months ago
C - AWS services that integrate with AWS KMS for encryption at rest or digital signatures currently treat multi-Region keys as though they were single-Region keys. They might re-wrap or re-encrypt data moved between Regions. For example, Amazon S3 cross-region replication decrypts and re-encrypts data under a KMS key in the destination Region, even when replicating objects protected by a multi-Region key. Multi-Region keys are not global. You create a multi-Region primary key and then replicate it into Regions that you select within an AWS partition. Then you manage the multi-Region key in each Region independently. Neither AWS nor AWS KMS ever automatically creates or replicates multi-Region keys into any Region on your behalf. AWS managed keys, the KMS keys that AWS services create in your account for you, are always single-Region keys. https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
upvoted 2 times
...
...
...
bluetaurianbull
Highly Voted 3 years ago
What about the new feature released in June-2021 ?? https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html Seems AWS KMS supports multi-Region keys... now ..
upvoted 17 times
EricR17
2 years, 11 months ago
This is an older question that predates those updates.
upvoted 1 times
...
1awssec
3 years ago
does that mean B ?
upvoted 4 times
...
...
shammous
Most Recent 2 weeks, 1 day ago
Selected Answer: C
Option C aligns with AWS best practices for cross-region resilience while ensuring data security with encryption. Here’s how it addresses the requirements: Cross-Region Replication: AWS services like Amazon S3 and DynamoDB offer cross-region replication, ensuring data availability across regions. Re-Wrapping the Data Key: By re-wrapping the data encryption key (DEK) with a Customer Master Key (CMK) in the target region, the encrypted data can be decrypted in the target region without the need to directly copy or synchronize CMKs (which is not possible). Why Not the Other Options? Option A: AWS KMS does not allow you to copy CMKs across regions. Each CMK is region-specific. Option B: AWS KMS does not support automatic synchronization of CMKs between regions. Option D: KMS keys cannot be accessed across regions; they are tied to the region in which they were created.
upvoted 1 times
...
virtual
8 months, 4 weeks ago
Selected Answer: C
"[...]but also be available within another region altogether.". So data are to be replicated. Then, regarding KMS you'll have to generate replica key. So I think right answer is to be C.
upvoted 1 times
...
Raphaello
9 months ago
Selected Answer: B
B is correct. Multi-region keys share some properties, like key material, material origin, key ID (apart from the region part ofc), and rotation. And changes made in the primary region (say change in key material or rotation) are synchronized to other regions' keys. A service like S3 (CRR) decrypts object then re-encrypts it using the destination region's key, whether it is a MRK or not (same key material/ID as the origin region's key or not). But again, this is a very badly worded question.
upvoted 1 times
...
pupsik
1 year, 1 month ago
Selected Answer: C
There is no ongoing synchronization of KMS keys across regions.
upvoted 1 times
...
liuyomz
1 year, 3 months ago
Selected Answer: C
A little bit tricky, but I would say C is correct. Because its not an automatic setting "Multi-Region keys are not global. You create a multi-Region primary key and then replicate it into Regions that you select within an AWS partition" https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
upvoted 1 times
...
SecureCarla
1 year, 4 months ago
C is correct. Question was referring to "AWS resources", these resources (EBS snapshots, S3 cross region replication are samples) treat multi region keys as single region keys. https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
upvoted 1 times
...
Sickcnt
1 year, 4 months ago
Selected Answer: C
"Multi-Region keys are not global. You create a multi-Region primary key and then replicate it into Regions that you select within an AWS partition. Then you manage the multi-Region key in each Region independently. Neither AWS nor AWS KMS ever automatically creates or replicates multi-Region keys into any Region on your behalf." And here comes the important part: "AWS managed keys, the KMS keys that AWS services create in your account for you, are always single-Region keys." https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html So answer B is incorrect because AWS does NOT automatically let you use multi-region keys. You would need to set that up manually (without automation, thats written in awnswer B)
upvoted 1 times
...
OCHT
1 year, 5 months ago
Selected Answer: C
Explanation: This option involves using AWS services that can replicate data across regions (like S3 Cross-Region Replication, or RDS/Aurora Global Databases). When the data is replicated to the target region, the data encryption key is re-wrapped (or re-encrypted) with the CMK in the target region. This allows the data to be decrypted in the target region using the target region's CMK.
upvoted 3 times
epomatti
1 year, 2 months ago
Best explanation.
upvoted 1 times
...
...
ITGURU51
1 year, 5 months ago
AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. Each set of related multi-Region keys has the same key material and key ID, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS. B
upvoted 3 times
...
Ashk87
1 year, 9 months ago
ChatGPT response: The option that supports the requirement for AWS resources encrypted by AWS KMS is: C. Use AWS services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region's CMK can decrypt the database encryption key. This method ensures that the resources are replicated across regions and can be decrypted using the CMK in the target region. It also provides the required resilience and availability across different regions.
upvoted 1 times
BMarijuan
1 year, 7 months ago
ChatGPT has limited knowledge of events after September 2021... Multi-Region keys were enabled in late June 2021, that´s why that answer might be a bit out of date. https://aws.amazon.com/es/blogs/security/encrypt-global-data-client-side-with-aws-kms-multi-region-keys/
upvoted 2 times
...
...
AWS_Noob
1 year, 9 months ago
Selected Answer: B
AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. Each set of related multi-Region keys has the same key material and key ID, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS
upvoted 2 times
...
bk02
1 year, 9 months ago
Selected Answer: C
The new feature of KMS multi-region is not done automatically by KMS, the key must be created as multi-region key to replicate it to multiple regions
upvoted 2 times
...
Godsky
1 year, 11 months ago
This is answer by OpenAI :) AWS KMS Cross-Region Replication (CRR) is a feature that allows you to replicate customer master keys (CMKs) across multiple AWS Regions. This allows you to use the same CMK in multiple Regions, while ensuring that the security and integrity of the CMK
upvoted 3 times
...
arae
2 years ago
B because of multi region
upvoted 2 times
...
VijiTu
2 years, 2 months ago
Answer B https://aws.amazon.com/blogs/security/encrypt-global-data-client-side-with-aws-kms-multi-region-keys/
upvoted 3 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel