Home › Forums › AWS › AWS Certified Security – Specialty › Timed mode set 1- question 2 answer not correct
-
Timed mode set 1- question 2 answer not correct
Neil-TutorialsDojo updated 5 months, 1 week ago 2 Members · 2 Posts -
the question:
An e-commerce website is hosted in an Auto Scaling group of EC2 instances that stores static data in an S3 bucket. The Security Administrator must ensure that the data is encrypted at rest using an encryption key that is both provided and managed by the company. To comply with the IT security policy, the solution must use AES-256 encryption to protect the data that the website is storing.Which of the following should the Administrator implement to satisfy this requirement? (Select TWO.)
- – Configure the bucket to use Amazon S3 server-side encryption with customer-provided keys (SSE-C).
- – Configure the bucket to use Amazon S3 server-side encryption with AWS KMS-Managed Keys (SSE-KMS).
- – Encrypt the data on the client-side before sending to Amazon S3 using their own master key.
- – Configure the bucket to use S3 server-side encryption with Amazon S3-Managed Encryption Keys.
- – Enable SSL to encrypt the data while in transit to the S3 bucket.
The correct answers seem to be:
– Configure the bucket to use Amazon S3 server-side encryption with customer-provided keys (SSE-C).– Encrypt the data on the client-side before sending to Amazon S3 using their own master key.
I do not see any possibility to configure the bucket to use SSE-C.
There is a possibility to enforce SSE-C with a bucket policy, but specifying SSE-C is on the object level and not the bucket level.
Using server-side encryption with customer-provided keys (SSE-C) – Amazon Simple Storage Service
I agree the Configure the bucket to use Amazon S3 server-side encryption with AWS KMS-Managed Keys (SSE-KMS) is indeed not customer managed, but at least we can specify a customer managed key under the hood.
Or am I not reading it correctly?
- This discussion was modified 5 months, 1 week ago by JakubDaWhat.
-
Hello JakubDaWhat,
Thank you for bringing this to our attention.
You’re correct that there isn’t a straightforward way to configure SSE-C on a bucket level. But the intention of the option is intended as you have explained. I understand that this would have been worded better.
We apologize for any confusion caused by the wording of the options. We’ll work on updating this promptly for clarity. Thank you again for your input.Regards,
Neil @ Tutorials Dojo
Log in to reply.