Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

Save 40% OFF on AWS Foundational Reviewers + Get Free Cloud Practitioner eBook if you buy Practice Exam + Video Course Bundle!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Developer Associate Incorrect answer for AWS CDA Security section exam question

  • Incorrect answer for AWS CDA Security section exam question

  • kaws8902

    Member
    March 26, 2023 at 10:11 am

    Hello,

    I came across this question in the Security section for AWS Certified Developer Associate and I believe the incorrect answer is selected as the right one.

    Category: CDA – Security

    An application hosted in an Auto Scaling group of On-Demand EC2 instances is used to process data polled from an SQS queue and the generated output is stored in an S3 bucket. To improve security, you were tasked to ensure that all objects in the S3 bucket are encrypted at rest using server-side encryption with AWS KMS–Managed Keys (SSE-KMS).

    Which of the following is required to properly implement this requirement?

    This is provided as the correct answer.

    Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption header.


    However, someone can send a request with x-amz-server-side-encryption: “AES256” instead of “aws:kms” which would mean that SSE-S3 is used which does not satisfy the requirement.

    Therefore, this answer is incorrect.


    Here is the documentation where it shows AES256 is valid:

  • Carlo-TutorialsDojo

    Member
    March 27, 2023 at 2:55 pm

    Hello kaws8902,

    I understand that x-amz-server-side-encryption header can have different values based on the type of KMS key being used, such as “aws:kms” or “AES256”. However, the given answer cannot be dismissed as incorrect simply because there are other possible values for the header. Rather, the appropriateness of the answer depends on the specific conditions and options presented in the scenario. The question is testing you on what specific header to use. If the question asks you to choose between the right x-amz-server-side-encryption values, then that’s a different story.

    Let me know what you think.

    Regards,

    Carlo @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content