Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty Timed Set 3 – Identity and Access Management Q7 – incorrect options for answers

  • Timed Set 3 – Identity and Access Management Q7 – incorrect options for answers

  • AJam

    Member
    March 24, 2024 at 7:31 pm

    Hi. Below is question.

    A security engineer enabled Amazon S3 Cross-Region Replication (CRR) for all objects from a source bucket in ap-southeast-1 to a destination bucket in ap-northeast-2 in the same AWS account. Some of the objects from the source bucket are encrypted at rest using AWS KMS keys (SSE-KMS).

    The replication setup utilizes a newly created customer-managed key (CMK) from ap-northeast-2 and an IAM role. It should encrypt all objects in the destination bucket at rest using the newly created key.

    Several days later, the engineer discovered that the encrypted objects from the source bucket were not replicated to the destination bucket, while all the unencrypted objects were successfully processed.

    Which combination of steps the security engineer must do to resolve the issue? (Select THREE)

    Grant IAM role with

    s3:GetObjectVersionForReplication action for objects in the ap-southeast-1 source bucket.
    – Configure replication configuration to use the same key with the encrypted objects from the source bucket.
    – Grant IAM role with kms:Encrypt action for the AWS KMS key in ap-northeast-1 used to encrypt object replica in the destination bucket.
    – Grant IAM role with kms:Encrypt action for the AWS KMS key in ap-southeast-1 used to encrypt the source objects.
    – Grant IAM role with s3:GetObjectVersion action for objects in ap-southeast-1 source bucket.
    – Grant IAM role with kms:Decrypt action for the AWS KMS key in ap-southeast-1 used to encrypt the source objects.

    As per the explanation, one of the correct answers is ” Grant IAM role with kms:Encrypt action for the AWS KMS key in ap-northeast-1 used to encrypt object replica in the destination bucket.”
    however this is incorrect because as per the question, the destination bucket is in ap-northeast-2 not ap-northeast-1. Please update the answer options.

Viewing 1 of 1 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content