Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

💝 Valentine's Sale! Get 30% OFF Any Reviewer. Use coupon code: PASSION-4-CLOUD & 10% OFF Store Credits/Gift Cards

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty Timed Mode Set 3 Question 54 – AWS Certified Security Specialty

  • Timed Mode Set 3 Question 54 – AWS Certified Security Specialty

  • Girish Arora

    Member
    July 28, 2024 at 11:42 am

    Question is:

    A company manages multiple AWS accounts in AWS Organizations to handle critical data and transactional systems. They deal with a significant volume of sensitive information. The company stores data in both Amazon S3 and Amazon DynamoDB. Data processing and analysis are using AWS Lambda.

    To ensure the utmost data security, the company needs to implement a solution that encrypts all sensitive data at rest and enforces the principle of least privilege data access controls. The company has created a customer-managed key in AWS Key Management Service (AWS KMS) for encryption purposes and must use the key for all encryptions.

    What should the company do next to meet these requirements?

    1. Create a key policy for the customer-managed key permitting the kms:Decrypt action for Amazon S3, DynamoDB, and Lambda. Enforce an SCP that denies S3 bucket and DynamoDB table creation lacking encryption with the key.
    2. Enable server-side encryption for Amazon S3 buckets and Amazon DynamoDB. Set up an AWS Config rule to issue alerts for resources lacking encryption with the key
    3. Create an S3 Bucket policy to require the use of the KMS key using s3:x-amz-server-side-encryption. Enforce an SCP that denies S3 bucket and DynamoDB table creation lacking encryption with the key
    4.
    Enable server-side encryption for Amazon S3 buckets and Amazon DynamoDB. Attach an IAM policy that allows km:Decrypt action to a Lambda IAM role. Set up an AWS Config rule to issue alerts for resources lacking encryption with the key.

    ***********

    The correct answer as per the exams is option 1, however, as far as I know, you cannot enforce an SCP that denies creation of S3 bucket at the creation. S3 CreateBucket API doesn’t support any condition key that demands the requirement of Encryption key, so how can this be correct answer?

  • Nikee-TutorialsDojo

    Administrator
    July 30, 2024 at 8:38 am

    Hello Girish,

    Thank you for your feedback. Let me explain why the option 1 is the correct answer.

    Yes, you are correct that the s3:CreateBucket API call itself does not directly support condition keys that require server-side encryption. However, SCPs can be used to enforce policies at the account level to control actions related to resource creation, including S3 buckets and DynamoDB tables.

    Service Control Policies (SCPs) are used to manage permissions in AWS Organizations. An SCP can deny the creation of resources unless specific conditions are met, even if the individual API does not support those conditions. This includes enforcing encryption policies across an AWS account or organization.

    By enforcing an SCP that denies the creation of S3 buckets and DynamoDB tables that do not have encryption with a customer-managed key, the company can ensure that all data stored in these services is encrypted using the specified key. This is an organizational-level policy, ensuring compliance across all accounts.


    Creating a key policy that permits the necessary kms:Decrypt action for Amazon S3, DynamoDB, and Lambda ensures that these services can use the customer-managed key for encryption and decryption operations. This step is crucial for allowing the services to access the encrypted data.

    To address your concern about the CreateBucket API specifically, the enforcement is at the organizational level using SCPs, not through direct conditions on the API call itself. This approach leverages the hierarchical permission structure provided by AWS Organizations.

    For further reference, you can review the official AWS documentation on Service Control Policies and AWS KMS key policies.

    I hope this clarifies how the correct answer aligns with AWS security best practices and the capabilities of SCPs in enforcing encryption requirements.

    Regards,

    Nikee @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content