Amazon Exam SCS-C02 Topic 8 Question 25 Discussion

Actual exam question for Amazon's SCS-C02 exam

Question #: 25
Topic #: 8

A company runs workloads in the us-east-1 Region. The company has never deployed resources to other AWS Regions and does not have any multi-Region resources.

The company needs to replicate its workloads and infrastructure to the us-west-1 Region.

A security engineer must implement a solution that uses AWS Secrets Manager to store secrets in both Regions. The solution must use AWS Key Management Service (AWS KMS) to encrypt the secrets. The solution must minimize latency and must be able to work if only one Region is available.

The security engineer uses Secrets Manager to create the secrets in us-east-1.

What should the security engineer do next to meet the requirements?

AEncrypt the secrets in us-east-1 by using an AWS managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using a new AWS managed KMS key in us-west-1.

BEncrypt the secrets in us-east-1 by using an AWS managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

CEncrypt the secrets in us-east-1 by using a customer managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

DEncrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using the customer managed KMS key from us-east-1.

Show Suggested Answer

Suggested Answer: D

To ensure minimal latency and regional availability of secrets, encrypting secrets in us-east-1 with a customer-managed KMS key and then replicating them to us-west-1 for encryption with the same key is the optimal approach. This method leverages customer-managed KMS keys for enhanced control and ensures that secrets are available in both regions, adhering to disaster recovery principles and minimizing latency by using regional endpoints.

by Daron at Aug 06, 2024, 06:12 PM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Dominga

3 months ago

I'm just here to make sure the engineers don't accidentally unleash a swarm of AWS Secrets Managers upon an unsuspecting world. No pressure, folks!

upvoted 0 times

...

Long

3 months ago

But wouldn't it be better to use AWS managed KMS keys for consistency and ease of management across Regions?

upvoted 0 times

...

Jaime

3 months ago

Wait, we need to consider the possibility of only one Region being available? I hope the company doesn't have any Black Hole Regions in their AWS infrastructure.

upvoted 0 times

Lamonica

3 months ago

User 2

upvoted 0 times

...

Sena

3 months ago

User 1

upvoted 0 times

...

Juan

3 months ago

I'm not sure. Maybe they should encrypt the secrets in us-east-1 using a customer managed KMS key instead.

upvoted 0 times

...

4 months ago

Option B seems like the simplest and most efficient solution. Calling the Secrets Manager endpoint in us-east-1 from us-west-1 minimizes the overhead of replicating secrets across Regions.

upvoted 0 times

Eun

3 months ago

B) That makes sense. It's a good way to ensure the secrets are accessible in both Regions without unnecessary replication.

upvoted 0 times

...

Rebecka

3 months ago

A) Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using a new AWS managed KMS key in us-west-1.

upvoted 0 times

...

Eloisa

4 months ago

B) Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

upvoted 0 times

...

Long

4 months ago

I think the security engineer should encrypt the secrets in us-east-1 using an AWS managed KMS key.

upvoted 0 times

...