exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 763 discussion

A company has multiple business units. Each business unit has its own AWS account and runs a single website within that account. The company also has a single logging account. Logs from each business unit website are aggregated into a single Amazon S3 bucket in the logging account. The S3 bucket policy provides each business unit with access to write data into the bucket and requires data to be encrypted.
The company needs to encrypt logs uploaded into the bucket using a single AWS Key Management Service (AWS KMS) CMK. The CMK that protects the data must be rotated once every 365 days.
Which strategy is the MOST operationally efficient for the company to use to meet these requirements?

  • A. Create a customer managed CMK in the logging account. Update the CMK key policy to provide access to the logging account only. Manually rotate the CMK every 365 days.
  • B. Create a customer managed CMK in the logging account. Update the CMK key policy to provide access to the logging account and business unit accounts. Enable automatic rotation of the CMK.
  • C. Use an AWS managed CMK in the logging account. Update the CMK key policy to provide access to the logging account and business unit accounts. Manually rotate the CMK every 365 days.
  • D. Use an AWS managed CMK in the logging account. Update the CMK key policy to provide access to the logging account only. Enable automatic rotation of the CMK.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Jupi
Highly Voted 3 years, 1 month ago
A -incorrect - Manual Roation of key is not good B - Correct - Use a customer managed CMK if you want to grant cross-account access to your S3 objects. You can configure the policy of a customer managed CMK to allow access from another account. https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html C,D - Incorrect. you cannot manage Amazon managed CMKs, rotate them, or change their key policies. AWS managed customer master key (CMK) key policies can't be modified because they're read-only
upvoted 15 times
...
mericov
Highly Voted 3 years, 2 months ago
B - https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html
upvoted 5 times
...
andras
Most Recent 1 year, 9 months ago
In May 2022, AWS KMS changed the rotation schedule for AWS managed keys from every three years (approximately 1,095 days) to every year (approximately 365 days). New AWS managed keys are automatically rotated one year after they are created, and approximately every year thereafter. Existing AWS managed keys are automatically rotated one year after their most recent rotation, and every year thereafter. https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-aws-managed-keys
upvoted 1 times
...
unknownUser22952
1 year, 9 months ago
For those who all are choosing option D, we don't need to explicitly enable automatic key rotation for aws managed cmk, since it is aws managed, it is enabled by default. For the customer managed cmk, the automatic rotation is disabled by default, we need to enable it explicitly. So, B is obviously the best answer.
upvoted 1 times
...
Heer
1 year, 10 months ago
Seems like Option D is more relevant Using an AWS managed CMK in the logging account is a good option to meet the requirement of encrypting logs in the S3 bucket. By using an AWS managed CMK, the company can simplify the process of managing the key and can benefit from the built-in key rotation functionality. To further secure the key, the company should update the key policy to provide access to the logging account only. This will ensure that the key can only be used to encrypt logs uploaded by the business units and no other services. Enabling automatic rotation of the key will help the company meet the requirement of rotating the key once every 365 days, which is a best practice for key management.
upvoted 1 times
...
Vash2303
1 year, 10 months ago
Selected Answer: D
D. It is AWS managed CMK on which you can apply policy. It is not AWS owned key.
upvoted 1 times
...
AwsBRFan
2 years, 1 month ago
Selected Answer: D
https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html "Server-side encryption is the encryption of data at its destination by the application or service that receives it." https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html "Automatic key rotation is disabled by default on customer managed keys but authorized users can enable and disable it. When you enable (or re-enable) automatic key rotation, AWS KMS automatically rotates the KMS key one year (approximately 365 days) after the enable date and every year thereafter."
upvoted 2 times
Jonfernz
2 years, 1 month ago
wrong. there's no yearly automatic rotation for AWS managed KMS keys.
upvoted 1 times
...
...
pek77
2 years, 2 months ago
What's the AWS managed CMK (AWS Managed Customer Managed Key)? is there the concept of this? B is Correct
upvoted 1 times
...
Enigmaaaaaa
2 years, 4 months ago
Selected Answer: B
B is correct A - will not work no access provided to other accounts and manual rotate. C - AWS managed key you cant provide access to others + manual rotate - will not work D - AWS managed CMK you cant provide access to other https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt
upvoted 2 times
...
etopics
2 years, 5 months ago
D its correct: In May 2022, AWS KMS changed the rotation schedule for AWS managed keys from every three years (approximately 1,095 days) to every year (approximately 365 days). New AWS managed keys are automatically rotated one year after they are created, and approximately every year thereafter. Existing AWS managed keys are automatically rotated one year after their most recent rotation, and every year thereafter. https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
upvoted 2 times
...
WebMaria
2 years, 10 months ago
So many answers here. Still wrong. It is D. The question asks for MOST OPTIMAL. D works and is more optimal than any other. https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
upvoted 1 times
Punitsolanki
2 years, 10 months ago
AWS managed CMK is rotated once every three years automatically, so cant be C or D. ref- https://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/aws-managed-and-customer-managed-cmks.html
upvoted 1 times
...
Enigmaaaaaa
2 years, 4 months ago
with D - How can you provide access to other accounts/roles to use AWS managed key?
upvoted 1 times
...
...
AzureDP900
2 years, 12 months ago
B is right
upvoted 1 times
...
cldy
2 years, 12 months ago
B. Create a customer managed CMK in the logging account. Update the CMK key policy to provide access to the logging account and business unit accounts. Enable automatic rotation of the CMK.
upvoted 1 times
...
javiems
3 years ago
It's A. B is incorrect. AWS-managed CMK (rotation): Once every three years automatically Customer-managed CMK: Once a year automatically through opt-in or on-demand manually https://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/aws-managed-and-customer-managed-cmks.html
upvoted 2 times
...
backfringe
3 years ago
I go with B
upvoted 1 times
...
RVD
3 years ago
Selected Answer: B
enable automatic rotation after 1 year.
upvoted 1 times
...
acloudguru
3 years ago
Selected Answer: B
A -incorrect - Manual Roation of key is not good B - Correct - Use a customer managed CMK if you want to grant cross-account access to your S3 objects. You can configure the policy of a customer managed CMK to allow access from another account. https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html C,D - Incorrect. you cannot manage Amazon managed CMKs, rotate them, or change their key policies. AWS managed customer master key (CMK) key policies can't be modified because they're read-only
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...