Questions 46 to 48

Explanations for questions 46 to 48

We'll cover the following

Question 46
Question 47
Question 48

Question 46

A new security mandate requires that all personnel data held in the cloud is encrypted at rest. Which two methods allow you to encrypt data stored in S3 buckets at rest cost-efficiently? (Select TWO)

Making use of AWS S3 bucket policies to control access to the data at rest
Using AWS S3 server-side encryption with Key Management Service keys or Customer-provided keys
Using CloudHSM
Encrypting the data at the source using the client’s CMK keys before transferring it to S3
Using Multipart upload with SSL

Correct Answer: 2, 4

Explanation: When using S3 encryption, your data is always encrypted at rest, and you can choose to use KMS managed keys or customer-provided keys. If you encrypt the data at the source and transfer it in an encrypted state, it will also be encrypted in transit.

With client-side encryption, data is encrypted on the client-side and transferred in an encrypted state. With server-side encryption, data is encrypted by S3 before it is written to disk (data is decrypted when it is downloaded).

INCORRECT: “Making use of AWS S3 bucket policies to control access to the data at rest” is incorrect. You can use bucket policies to control the encryption of data that is uploaded, but the use of encryption is not stated in the answer given. Simply using bucket policies to control access to the data does not meet the security mandate that data must be encrypted.

CORRECT: “Using AWS S3 server-side encryption with Key Management Service keys or Customer-provided keys” is the correct answer.

INCORRECT: “Using CloudHSM” is incorrect. CloudHSM can be used to encrypt data but as a dedicated service, it is charged on an hourly basis and is less cost-efficient compared to S3 encryption or encrypting the data at the source.

CORRECT: “Encrypting the data at the source using the client’s CMK keys before transferring it to S3” is the correct answer.

INCORRECT: “Using Multipart upload with SSL” is incorrect. Multipart upload helps with uploading large files but does not encrypt your data.

References:

https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html

Level up your interview prep. Join Educative to access 70+ hands-on prep courses.

Introduction

Getting Started

Compute

Storage

AWS Database

Migration

Networking and Content Delivery

Management Tools

Media Services

Analytics

AWS Security, Identity, & Compliance

Application Integration

AWS Desktop & App Streaming

Wrapping Up

Practice Exam 1

Practice Exam 1 Explanations

Practice Exam 2

Practice Exam 2 Explanations

Practice Exam 3

Practice Exam 3 Explanations

Practice Exam 4

Practice Exam 4 Explanations

Practice Exam 5

Practice Exam 5 Explanations

Practice Exam 6

Practice Exam 6 Explanations

Questions 46 to 48

Question 46