Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Data Analytics – Specialty Ambiguity in KDS encryption question

  • shreyask38

    Member
    October 22, 2022 at 5:51 pm

    Category: DAS – Security

    A Data Analyst has an application running on-premises that utilizes Amazon Kinesis Software Development Kit (SDK) to push data to Amazon Kinesis Data Streams. She must encrypt data at rest using AWS Key Management Service. Also, she should use an encryption key that can be rotated to comply with security requirements.

    Which configuration will allow the Data Analyst to meet the requirements with minimal coding effort?

    Selected answer is “Create a symmetric CMK in the AWS Key Management Service (KMS) Console.
    Designate an alias for the CMK and configure the Kinesis data steam to
    use server-side encryption by specifying the CMK alias as the encryption
    key. “

    However, there is another option which better fits the question and that is this option


    Configure the Kinesis data stream to use server-side encryption by
    specifying the default AWS Managed key for Kinesis Data Streams.

    Please see the reason below:

    As per below AWS URL, KDS used default KMS master key(aws/kinesis).

    https://docs.aws.amazon.com/streams/latest/dev/getting-started-with-sse.html

    To enable server-side encryption for a Kinesis stream

    1. Sign in to the AWS Management Console and open the Amazon Kinesis Data Streams console

    2. Create or select a Kinesis stream in the AWS Management Console.

    3. Choose the details tab.

    4. In Server-side encryption, choose edit.

    5. Unless you want to use a user-generated KMS master key, ensure the (Default) aws/kinesis KMS master key is selected. This is the KMS master key generated by the Kinesis service. Choose Enabled, and then choose Save.

  • shreyask38

    Member
    October 24, 2022 at 5:09 pm

    Can someone please explain why default KMS for KDS server side encryption is not the selected answer to this question?

  • Carlo-TutorialsDojo

    Administrator
    October 26, 2022 at 3:33 am

    Hello shreyask38,

    Thanks for your feedback. While the default KMS key is rotated automatically every 365 days, it cannot be rotated directly by users for a specific period, unlike customer-managed ones. I understand that the scenario at present does not clearly say the rotation strategy to be used, hence, why both answers appear to be true. We’ll tweak the conditions for this item to clear out any confusion.

    Let me know if you have further questions.

    Regards,

    Carlo @ Tutorials Dojo

  • shreyask38

    Member
    October 26, 2022 at 7:38 am

    Thanks for the reply.

    Also because of this condition in the question

    “Which configuration will allow the Data Analyst to meet the requirements with minimal coding effort?”

    Default KMS seems to be better fit because it doesn’t need coding effort.

  • Carlo-TutorialsDojo

    Administrator
    October 26, 2022 at 4:58 pm

    Hello shreyask38,

    When there is more than one requirement involved, you must select the answer that meets all of them. For instance, answer X may meet requirement A better than answer Y, but it does not meet requirement B, while answer Y meets both requirements A and B. The best answer would still be answer Y.

  • Viewing 1 - 5 of 5 replies

    Log in to reply.

    Original Post
    0 of 0 posts June 2018
    Now