Home › Forums › AWS › AWS Certified Security – Specialty › The following question in the sample exam. I am clearly missing something.
-
The following question in the sample exam. I am clearly missing something.
-
A company has an application that heavily uses AWS KMS to encrypt financial data. A Security Engineer has been instructed to ensure that communications between the company’s VPC and AWS KMS do not pass through the public Internet.
Which combination of steps is the MOST suitable solution in this scenario? (Select TWO.)
Options:
In the AWS KMS key policy, add a new aws:sourceVpc condition and reference the VPC endpoint ID.
Modify the AWS KMS key policy to include the aws:sourceVpce condition and reference the VPC endpoint ID.
Replace the Internet Gateway of the VPC with an AWS Transit Gateway.
Set up a new VPC endpoint for AWS KMS with private DNS enabled.
Establish a Direct Connect connection between the VPC and AWS KMS.
The correct answers:
Set up a new VPC endpoint for AWS KMS with private DNS enabled.Modify the AWS KMS key policy to include the aws:sourceVpce condition and reference the VPC endpoint ID.
When explaining why
In the AWS KMS key policy, add a new aws:sourceVpc condition and reference the VPC endpoint ID.Is incorrect it states
The option that says: In the AWS KMS key policy, add a new aws:sourceVpc condition and reference the VPC endpoint ID is incorrect because the aws:sourceVpc condition is more suitable if you already have multiple VPC endpoints configured in the same VPC. This means that you still have to use VPC Endpoints in order for you to use this condition. Moreover, if you use the aws:sourceVpc condition, you have to specify the VPC ID and not the VPC endpoint ID.
But what the hell? Doesn’t that also apply to the correct answer. I’ve read over the two and I simply do not see the difference between the correct and incorrect answer. “In the policy add a new” or “Modify the policy to include” is saying the exact same thing.
Furthermore it says don’t reference the Endpoint ID. But the correct answer is also referencing the Endpoint ID.
I saw a thread about this 2 years ago. And it still has not been fixed. Or I’m just missing something.
-
Hello Nick,
Thanks for the feedback.
VPC and VPC endpoint are two different things. A VPC ID is a unique identifier for a particular VPC just as a VPC endpoint ID is for a VPC endpoint. A VPC endpoint doesn’t point to a VPC hence why putting a VPC endpoint ID as a value for the aws:SourceVpc condition is not valid. The correct answer mentions nothing of aws:SourceVpc at all, only aws:SourceVpce.
I hope this helps.
Regards,
Carlo @ Tutorials Dojo
-
Ok I get it. The difference is the letter E at the end.
SourceVpc vs SourceVpce
Man I hope they don’t have too many awful questions like that on the test. That is unnecessary level of trickery.
But thank you for clarifying.
-
Log in to reply.