DOP-C02 · Question #423
DOP-C02 Question #423: Real Exam Question with Answer & Explanation
The correct answer is A: Create encrypted backup vaults and customer managed AWS KMS keys in both accounts.. Explanation Option A is correct because creating encrypted backup vaults with customer managed KMS keys in both accounts provides the highest level of security - customer managed keys give you full control over key policies, rotation, auditing, and cross-account access, which is
Question
A company has an RPO of 24 hours and an RTO of 10 minutes for a critical web application that runs on Amazon EC2 instances. The company uses AWS Organizations to manage its AWS account. The company wants to set up AWS Backup for its AWS environment. A DevOps engineer configures AWS Organizations for AWS Backup. The DevOps engineer creates a new centralized AWS account to store the backups. Each EC2 instance has four Amazon Elastic Block Store (Amazon EBS) volumes attached. Which solution will meet this requirement MOST securely?
Options
- ACreate encrypted backup vaults and customer managed AWS KMS keys in both accounts.
- BCreate encrypted vaults in both accounts by using the source account's AWS KMS key. Configure
- CCreate backup vaults in both accounts. Use AWS managed keys for encryption. Configure AWS
- DCreate encrypted vaults in both accounts. Use a customer managed KMS key in the source
Explanation
Explanation
Option A is correct because creating encrypted backup vaults with customer managed KMS keys in both accounts provides the highest level of security - customer managed keys give you full control over key policies, rotation, auditing, and cross-account access, which is essential when replicating backups from a source account to a centralized backup account in AWS Organizations.
Why the distractors are wrong:
- Option B is less secure because using only the source account's KMS key for both vaults creates a cross-account key dependency; if the source account is compromised, both sets of backups are at risk.
- Option C uses AWS managed keys, which offer no granular control over key policies, rotation schedules, or cross-account permissions - making them unsuitable for a "most securely" requirement.
- Option D uses a single customer managed key, which introduces similar cross-account risk as Option B and doesn't provide the isolation needed between accounts.
Memory Tip: Think "one vault, one key, one account" - for maximum security in multi-account backup strategies, each account should have its own customer managed KMS key, giving you independent control and blast-radius containment if one account is compromised. Customer managed = you're in control! 🔑
Topics
Community Discussion
No community discussion yet for this question.