Exam AWS Certified Security - Specialty topic 1 question 79 discussion

Correct answer is C. A. wrong - never ever store sensitive data in metadata B. wrong - as mentioned, s3:List will show file names (s3 keys) D. wrong - might have been the right answer in the 70's

With 20 years in cyber security areas from vavirous roles as Cyber Architect, Pen-Tester, Cyber Analysist, Network Security Engineer and Head of InfoSec...I can pretty sure 1000% there is no solution for this point "the most secure and cost-effective option". I can just focus to the most cost-effective option or the most secure option, not both.

Very poor question. Protect the sensitive data against what? Against who? All four options mean absolutely nothing without proper context. Cannot rationally compare and choose BOTH the most secure AND cost-effective without even giving a proper context. I doubt a question like this one shows up in at professional cert exam. It's a joke!

Correct Answer: C Everyone answering A is clearly wrong for the following reason. Amazon S3 uses AWS KMS keys to encrypt your Amazon S3 objects. AWS KMS encrypts only the object data - source -https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingMetadata.html AWS is not encrypting metadata, storing the PII in S3 user-defined metadata is not protecting the confindentialy aspect of data, thus the only viable option is to choose c as the correct answer

A, more cost effective

Client-side encryption is a feature that allows you to encrypt sensitive data on the client side before sending it to Amazon DynamoDB. This ensures that the data is encrypted both at rest and in transit. C

A is clearly the solution because it solves the problem and is free. The only way to get access to the sensitive would be to have access to the object itself.

'A' is the most cost effective and meets the question requirements (there is no explicit need to encrypt the PII, only to remove it from the filename). 'C' is significantly more secure, but significantly more expensive. Both would work and solve the problem. This question is garbage.

whoever answered A is correct.. do not overlook. use s3 native features than looking other solutions the situation is PII data in file name most secure and cost-effective is using user defined metadata

Option A proposes removing the sensitive data from the object name and storing it using S3 user-defined metadata, which is a simpler and more cost-effective solution that still provides adequate security by separating sensitive information from the object name. C - is additonal cost.

C is the correct answer

Answer C: S3 Metadata index in encrypted DynamoDB

metadata is not encrypted.

A and C are basically the same solution, using metadata in the name of the files. But A is less expansive

Correct answer is C.

Answer is C. A: Storing sensitive data as S3 user-defined metadata is no more secure than having the sensitive data in the object name. B: Anyone with S3:ListBucket permissions will be able to list the objects in the bucket, and as the object names contain the sensitive data, that's an issue. D: Would be secure, but if there is a large amount of data this will become very expensive. Answer C: Random unique object key - this hides the PII data from the file name S3 Metadata index in encrypted DynamoDB - this secures the PII C is also cost-effective. Metadata is small and won't be expensive to store.

C is my answer!