SCS-C02 · Question #213
SCS-C02 Question #213: Real Exam Question with Answer & Explanation
The correct answer is A: Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a. For seamless encryption of Amazon S3 objects without direct key management, AWS Key Management Service (KMS) with AWS managed keys offers a highly scalable and manageable solution. The ScheduleKeyDeletion API with PendingWindowInDays set to 0 allows for immediate deletion of the
Question
A security engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys. Which solution meets these requirements?
Options
- AUse AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a
- BUse KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to
- CUse AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to
- DUse the Systems Manager Parameter Store to store the keys and then use the service API
Explanation
For seamless encryption of Amazon S3 objects without direct key management, AWS Key Management Service (KMS) with AWS managed keys offers a highly scalable and manageable solution. The ScheduleKeyDeletion API with PendingWindowInDays set to 0 allows for immediate deletion of the keys, meeting the requirement for immediate key removal. This approach leverages the managed infrastructure of KMS, reducing the overhead of key management while ensuring scalability and security. The integration of KMS with S3 and the ability to schedule key deletion provides a balance between ease of use and security control.
Community Discussion
No community discussion yet for this question.