Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

Buy Any Azure Practice Exams and Get AI-900 Practice Exam for FREE!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified SysOps Administrator Associate Timed Mode 3 – file-sharing service and data encryption

  • Timed Mode 3 – file-sharing service and data encryption

  • slawoj-stanislawski

    Member
    May 22, 2021 at 1:37 am

    One of the correct answers is “Encrypt data in S3 and Glacier using AWS provided encryption services, and store the encryption keys in KMS.” Correct me if I’m wrong, but I believe KMS never stores DEKs, it generates them but doesn’t store them. It’s not the case with CMKs, but they can only encrypt files up to 4kb, and the scenario doesn’t mention that the files would be up to max 4kb in size. So I understood the answer differently, and this option probably meant to say something like “Encrypt data in S3 and Glacier using AWS provided encryption services with keys provided by the KMS”. Does it make sense?

  • wayne-c

    Member
    June 10, 2021 at 2:04 am

    Hi slawoj,

    Thanks for the feedback.

    AWS KMS generates data keys which are used to encrypt data locally in the AWS service or your application. The data keys are themselves encrypted under a CMK you define. Data keys are not retained or managed by AWS KMS. AWS services encrypt your data and store an encrypted copy of the data key along with the encrypted data. When a service needs to decrypt your data, it requests AWS KMS to decrypt the data key using your CMK. If the user requesting data from the AWS service is authorized to decrypt under your CMK, the AWS service will receive the decrypted data key from AWS KMS. The AWS service then decrypts your data and returns it in plaintext.

    Reference: https://aws.amazon.com/kms/faqs/

    The data keys are encrypted under a CMK you define in AWS KMS which makes the Encrypt data in S3 and Glacier using AWS provided encryption services, and store the encryption keys in KMS.” option correct. CMKs are encryption keys since they are used to encrypt the data keys stored in AWS.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!

    Regards,

    Wayne @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now