Home › Forums › AWS › AWS Certified Security – Specialty › Timed Set 3 – Identity and Access Management Q7 – incorrect options for answers
-
Timed Set 3 – Identity and Access Management Q7 – incorrect options for answers
-
Hi. Below is question.
A security engineer enabled Amazon S3 Cross-Region Replication (CRR) for all objects from a source bucket in ap-southeast-1 to a destination bucket in ap-northeast-2 in the same AWS account. Some of the objects from the source bucket are encrypted at rest using AWS KMS keys (SSE-KMS).
The replication setup utilizes a newly created customer-managed key (CMK) from ap-northeast-2 and an IAM role. It should encrypt all objects in the destination bucket at rest using the newly created key.
Several days later, the engineer discovered that the encrypted objects from the source bucket were not replicated to the destination bucket, while all the unencrypted objects were successfully processed.
Which combination of steps the security engineer must do to resolve the issue? (Select THREE)
– Grant IAM role with
s3:GetObjectVersionForReplication
action for objects in the ap-southeast-1 source bucket.
– Configure replication configuration to use the same key with the encrypted objects from the source bucket.
– Grant IAM role withkms:Encrypt
action for the AWS KMS key in ap-northeast-1 used to encrypt object replica in the destination bucket.
– Grant IAM role withkms:Encrypt
action for the AWS KMS key in ap-southeast-1 used to encrypt the source objects.
– Grant IAM role withs3:GetObjectVersion
action for objects in ap-southeast-1 source bucket.
– Grant IAM role withkms:Decrypt
action for the AWS KMS key in ap-southeast-1 used to encrypt the source objects.As per the explanation, one of the correct answers is ” Grant IAM role with
kms:Encrypt
action for the AWS KMS key in ap-northeast-1 used to encrypt object replica in the destination bucket.”
however this is incorrect because as per the question, the destination bucket is in ap-northeast-2 not ap-northeast-1. Please update the answer options.
Log in to reply.