Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SCS-C02 Topic 5 Question 14 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 14
Topic #: 5
[All SCS-C02 Questions]

A company runs workloads in the us-east-1 Region. The company has never deployed resources to other AWS Regions and does not have any multi-Region resources.

The company needs to replicate its workloads and infrastructure to the us-west-1 Region.

A security engineer must implement a solution that uses AWS Secrets Manager to store secrets in both Regions. The solution must use AWS Key Management Service (AWS KMS) to encrypt the secrets. The solution must minimize latency and must be able to work if only one Region is available.

The security engineer uses Secrets Manager to create the secrets in us-east-1.

What should the security engineer do next to meet the requirements?

Show Suggested Answer Hide Answer
Suggested Answer: D

To ensure minimal latency and regional availability of secrets, encrypting secrets in us-east-1 with a customer-managed KMS key and then replicating them to us-west-1 for encryption with the same key is the optimal approach. This method leverages customer-managed KMS keys for enhanced control and ensures that secrets are available in both regions, adhering to disaster recovery principles and minimizing latency by using regional endpoints.


Contribute your Thoughts:

Chau
6 months ago
I see your point, Beckie. Maybe using a customer managed KMS key and replicating to us-west-1 with the same key would be a better option.
upvoted 0 times
...
Shelton
6 months ago
That's a good point, Beckie. Using a customer managed KMS key might offer more control over the encryption process.
upvoted 0 times
...
Beckie
6 months ago
But wouldn't it be better to use a customer managed KMS key instead of AWS managed KMS key for encryption in us-east-1?
upvoted 0 times
...
Chau
6 months ago
I agree with Shelton. Encrypting in us-east-1 by using AWS managed KMS key is the way to go to meet the requirements.
upvoted 0 times
...
Shelton
6 months ago
I think the security engineer should encrypt the secrets in us-east-1 by using an AWS managed KMS key and then replicate the secrets to us-west-1.
upvoted 0 times
...
Kayleigh
6 months ago
That's a good point, Mollie. Maybe they should consider encrypting in both Regions using AWS managed KMS keys to meet those requirements.
upvoted 0 times
...
Mollie
7 months ago
But what about minimizing latency and ensuring availability if only one Region is available? Shouldn't they encrypt in both Regions using new AWS managed KMS keys?
upvoted 0 times
...
Moon
7 months ago
I agree with that. It's important to use AWS managed KMS keys for encryption to ensure security and compliance.
upvoted 0 times
...
Kayleigh
7 months ago
I think the security engineer should encrypt the secrets in us-east-1 by using an AWS managed KMS key. Then replicate the secrets to us-west-1.
upvoted 0 times
...
Carri
8 months ago
Ah, I see. Option C takes it a step further by using a customer-managed KMS key in us-east-1. That way, we have more control over the encryption key and can potentially simplify the key management process.
upvoted 0 times
...
Annelle
8 months ago
But Option B is also interesting. By having the resources in us-west-1 call the Secrets Manager endpoint in us-east-1, we can avoid the need to replicate the secrets, which could be beneficial for performance and consistency.
upvoted 0 times
Jose
8 months ago
D: Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using the customer managed KMS key from us-east-1.
upvoted 0 times
...
Ma
8 months ago
C: Encrypt the secrets in us-east-1 by using a customer managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.
upvoted 0 times
...
Aliza
8 months ago
A: But Option B is also interesting. By having the resources in us-west-1 call the Secrets Manager endpoint in us-east-1, we can avoid the need to replicate the secrets, which could be beneficial for performance and consistency.
upvoted 0 times
...
Kallie
8 months ago
B: Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.
upvoted 0 times
...
Lavonna
8 months ago
A: Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using a new AWS managed KMS key in us-west-1.
upvoted 0 times
...
...
Lilli
8 months ago
You've got a point there! Managing all those keys could get tricky. Maybe Option B is the way to go - fewer moving parts and still meets the requirements.
upvoted 0 times
...
Noble
8 months ago
Agreed. I think Option B is the most elegant solution here. Minimizing the complexity of the setup while still ensuring availability and low latency seems like the best approach.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77