Question 355 of 375 from exam CLF-C01: AWS Certified Cloud Practitioner

Prev Question Next Question

Question

I enable encryption on an S3 bucket that I have created with the following selections.

Refer to the figure below. With the KMS encryption selected as (aws/s3), which of the following statement is NOT true?

Amazon $3 > kum-buck-000 > Edit default encryption

Edit default encryption

Default encryption
‘Automatically encrypt new objects stored in this bucket. Learn more [4

Server-side encryption
Disable
© Enable

Encryption key type
To upload an object with a customer-provided encryption key (SSE-C), use the AWS CLI, AWS SDK, or Amiazon $3 REST API.

‘Amazon $3 key (SSE-S3)
{An encryption key that Amazon S3 creates, manages, and uses for you. Learn more [2

© Aws Key Management Service key (SSE-KMS)
‘An encryption key protected by AWS Key Management Service (AWS KMS). Learn more [7

AWS KMS key

© Aws managed key (aws/s3)
arncawskmsus-west-2:874165845233-alias/aws/s3

Choose from your KMS master keys
Enter KMS master key ARN

Answers

A. The KMS key cannot be deleted.

B. The KMS key can be rotated both automatically and manually.

C. The KMS key can be integrated with CloudTrail for auditing purposes.

D. The KMS key cannot be baked into Custom Roles.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B.

Option A is incorrect.

AWS managed KMS keys cannot be deleted unlike their Customer Managed counterparts.

Option B is CORRECT.

AWS managed KMS keys can only be rotated automatically compared to the Customer Managed KMS keys that can be rotated automatically or manually.

Manual rotation of keys provides greater control over the keys & makes it more secure and difficult to compromise.

Option C is incorrect.

AWS KMS integrates CloudTrail that will record calls to KMS by various users, roles, and other AWS services.

All API calls to KMS are captured as events by CloudTrail that can be logged to destinations like S3 or send them to CloudWatch for analysis.

Option D is incorrect.

AWS managed KMS keys cannot be managed, rotated or their policies changed by a user.

They can only be viewed within the account.

Customer-managed KMS keys, on the other hand, can be fully controlled by a user for maintaining their key policies, IAM policies, Enabling/disabling them, rotating them, etc...

References:

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html https://youtu.be/SOnJyqwGn1I

Prev Question Next Question