Home › Forums › AWS › AWS Certified Data Analytics – Specialty › Ambiguity in KDS encryption question
Tagged: answer, can, default, encryption, explain, for, is, KDS, kms, not, Please, question., selected, Server, side, someone, the, this, to, why
-
Category: DAS – Security
A Data Analyst has an application running on-premises that utilizes Amazon Kinesis Software Development Kit (SDK) to push data to Amazon Kinesis Data Streams. She must encrypt data at rest using AWS Key Management Service. Also, she should use an encryption key that can be rotated to comply with security requirements.
Which configuration will allow the Data Analyst to meet the requirements with minimal coding effort?
Selected answer is “Create a symmetric CMK in the AWS Key Management Service (KMS) Console.
Designate an alias for the CMK and configure the Kinesis data steam to
use server-side encryption by specifying the CMK alias as the encryption
key. “However, there is another option which better fits the question and that is this option
”
Configure the Kinesis data stream to use server-side encryption by
specifying the default AWS Managed key for Kinesis Data Streams.
“Please see the reason below:
As per below AWS URL, KDS used default KMS master key(aws/kinesis).
https://docs.aws.amazon.com/streams/latest/dev/getting-started-with-sse.html
To enable server-side encryption for a Kinesis stream
-
Sign in to the AWS Management Console and open the Amazon Kinesis Data Streams console
-
Create or select a Kinesis stream in the AWS Management Console.
-
Choose the details tab.
-
In Server-side encryption, choose edit.
-
Unless you want to use a user-generated KMS master key, ensure the (Default) aws/kinesis KMS master key is selected. This is the KMS master key generated by the Kinesis service. Choose Enabled, and then choose Save.
-
-
Can someone please explain why default KMS for KDS server side encryption is not the selected answer to this question?
-
Hello shreyask38,
Thanks for your feedback. While the default KMS key is rotated automatically every 365 days, it cannot be rotated directly by users for a specific period, unlike customer-managed ones. I understand that the scenario at present does not clearly say the rotation strategy to be used, hence, why both answers appear to be true. We’ll tweak the conditions for this item to clear out any confusion.
Let me know if you have further questions.
Regards,
Carlo @ Tutorials Dojo
-
Thanks for the reply.
Also because of this condition in the question
“Which configuration will allow the Data Analyst to meet the requirements with minimal coding effort?”
Default KMS seems to be better fit because it doesn’t need coding effort.
-
Hello shreyask38,
When there is more than one requirement involved, you must select the answer that meets all of them. For instance, answer X may meet requirement A better than answer Y, but it does not meet requirement B, while answer Y meets both requirements A and B. The best answer would still be answer Y.
The forum ‘AWS Certified Data Analytics – Specialty’ is closed to new discussions and replies.