Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SCS-C02 Topic 2 Question 16 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 16
Topic #: 2
[All SCS-C02 Questions]

A company runs workloads in the us-east-1 Region. The company has never deployed resources to other AWS Regions and does not have any multi-Region resources.

The company needs to replicate its workloads and infrastructure to the us-west-1 Region.

A security engineer must implement a solution that uses AWS Secrets Manager to store secrets in both Regions. The solution must use AWS Key Management Service (AWS KMS) to encrypt the secrets. The solution must minimize latency and must be able to work if only one Region is available.

The security engineer uses Secrets Manager to create the secrets in us-east-1.

What should the security engineer do next to meet the requirements?

Show Suggested Answer Hide Answer
Suggested Answer: D

To ensure minimal latency and regional availability of secrets, encrypting secrets in us-east-1 with a customer-managed KMS key and then replicating them to us-west-1 for encryption with the same key is the optimal approach. This method leverages customer-managed KMS keys for enhanced control and ensures that secrets are available in both regions, adhering to disaster recovery principles and minimizing latency by using regional endpoints.


Contribute your Thoughts:

Loise
6 months ago
I believe the correct option is to replicate the secrets to us-west-1 and then encrypt them using a new AWS managed KMS key in us-west-1.
upvoted 0 times
...
Dannie
6 months ago
But what about replicating the secrets to us-west-1? Shouldn't that be part of the solution?
upvoted 0 times
...
Stephanie
7 months ago
Yes, that seems like the right approach to ensure the secrets are encrypted.
upvoted 0 times
...
Eleonore
7 months ago
I think the security engineer should encrypt the secrets in us-east-1 using an AWS managed KMS key.
upvoted 0 times
...
Harris
8 months ago
Exactly, and then encrypt the secrets in us-west-1 using a new AWS managed KMS key in us-west-1.
upvoted 0 times
...
Amina
8 months ago
Yeah, that makes sense. Then they can replicate the secrets to us-west-1.
upvoted 0 times
...
Harris
8 months ago
I think the security engineer should encrypt the secrets in us-east-1 using an AWS managed KMS key.
upvoted 0 times
Jaclyn
8 months ago
D
upvoted 0 times
...
Bernadine
8 months ago
A
upvoted 0 times
...
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77