Home › Forums › AWS › AWS Certified Data Analytics – Specialty › AWS DAS practice exam – outdated answer to the question?
-
AWS DAS practice exam – outdated answer to the question?
Carlo-TutorialsDojo updated 2 years, 1 month ago 2 Members · 2 Posts
-
I have a question about one of the correct answers in AWS DAS practice exam bundle, which I think may be outdated. A question from the exam is:
A Data Analyst has an application running on-premises that utilizes Amazon Kinesis Software Development Kit (SDK) to push data to Amazon Kinesis Data Streams. She must encrypt data at rest using AWS Key Management Service. It’s mandatory that the encryption key be rotated at least every 2 years to comply with security requirements.
Which configuration will allow the Data Analyst to meet the requirements with minimal coding effort?
Correct answer:
Create a custom KMS key. Designate a key alias and configure Kinesis Data stream to use server-side encryption by specifying the alias as the encryption key.
Based on the question, I have chosen:
Configure the Kinesis data stream to use server-side encryption by specifying the default AWS Managed key for Kinesis Data Streams.
Why? As per AWS documentation:
AWS KMS automatically rotates AWS managed keys every year (approximately 365 days). You cannot enable or disable key rotation for AWS managed keys.
In May 2022, AWS KMS changed the rotation schedule for AWS managed keys from every three years (approximately 1,095 days) to every year (approximately 365 days).
New AWS managed keys are automatically rotated one year after they are created, and approximately every year thereafter.
Existing AWS managed keys are automatically rotated one year after their most recent rotation, and every year thereafter.
<div>I
expected the answer tests me on understanding of rotation of managed
keys (which is every year, which fits the requirement of the question),
but it is highlighted as a wrong answer. Is that because the answer
wasn’t updated since May 2022 when this change was applied? Just want to
be sure I am not missing something because I am taking the exam tomorrow, but I am fairly certain that my answer was wrong because the
answer wasn’t updated with the change in AWS’s automatic key rotation
policy change.</div><div>Thanks for the help!
</div>
-
Hello msuver12,
The question is updated to the current change in KMS key rotation. In the scenario, it was mentioned that the key must be rotated at least every 2 years. The use of the default AWS Managed key does not fit the requirement because it’s set to be rotated automatically every year, which cannot be overridden.
Let me know if this helps.
Regards,
Carlo @ Tutorials Dojo
The forum ‘AWS Certified Data Analytics – Specialty’ is closed to new discussions and replies.