Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

Valentine's Sale Extension - Get 20% OFF Any Reviewer. Use Coupon Code: CLOUD-DOJO

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Data Analytics – Specialty AWS DAS practice exam – outdated answer to the question?

  • AWS DAS practice exam – outdated answer to the question?

  • msuver12

    Member
    January 10, 2023 at 3:57 pm

    I have a question about one of the correct answers in AWS DAS practice exam bundle, which I think may be outdated. A question from the exam is:

    A Data Analyst has an application running on-premises that utilizes Amazon Kinesis Software Development Kit (SDK) to push data to Amazon Kinesis Data Streams. She must encrypt data at rest using AWS Key Management Service. It’s mandatory that the encryption key be rotated at least every 2 years to comply with security requirements.

    Which configuration will allow the Data Analyst to meet the requirements with minimal coding effort?

    Correct answer:

    Create a custom KMS key. Designate a key alias and configure Kinesis Data stream to use server-side encryption by specifying the alias as the encryption key.

    Based on the question, I have chosen:

    Configure the Kinesis data stream to use server-side encryption by specifying the default AWS Managed key for Kinesis Data Streams.

    Why? As per AWS documentation:

    AWS KMS automatically rotates AWS managed keys every year (approximately 365 days). You cannot enable or disable key rotation for AWS managed keys.

    In May 2022, AWS KMS changed the rotation schedule for AWS managed keys from every three years (approximately 1,095 days) to every year (approximately 365 days).

    New AWS managed keys are automatically rotated one year after they are created, and approximately every year thereafter.

    Existing AWS managed keys are automatically rotated one year after their most recent rotation, and every year thereafter.

    <div>I
    expected the answer tests me on understanding of rotation of managed
    keys (which is every year, which fits the requirement of the question),
    but it is highlighted as a wrong answer. Is that because the answer
    wasn’t updated since May 2022 when this change was applied? Just want to
    be sure I am not missing something because I am taking the exam tomorrow, but I am fairly certain that my answer was wrong because the
    answer wasn’t updated with the change in AWS’s automatic key rotation
    policy change.</div><div>

    Thanks for the help!

    </div>

  • Carlo-TutorialsDojo

    Administrator
    January 10, 2023 at 11:59 pm

    Hello msuver12,

    The question is updated to the current change in KMS key rotation. In the scenario, it was mentioned that the key must be rotated at least every 2 years. The use of the default AWS Managed key does not fit the requirement because it’s set to be rotated automatically every year, which cannot be overridden.

    Let me know if this helps.

    Regards,

    Carlo @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now