ExamGecko
Question list
Search
Search

List of questions

Search

Related questions











Question 115 - SCS-C01 discussion

Report
Export

A Security Engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled.

While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

A.
The log files fail integrity validation and automatically are marked as unavailable.
Answers
A.
The log files fail integrity validation and automatically are marked as unavailable.
B.
The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.
Answers
B.
The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.
C.
The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
Answers
C.
The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
D.
An IAM policy applicable to the Security Engineer’s IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket
Answers
D.
An IAM policy applicable to the Security Engineer’s IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket
Suggested answer: B

Explanation:

Enabling server-side encryption encrypts the log files but not the digest files with SSE-KMS. Digest files are encrypted with Amazon S3-managed encryption keys (SSE-S3). https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-withaws-kms.html

asked 16/09/2024
Szymon Strzep
39 questions
User
Your answer:
0 comments
Sorted by

Leave a comment first