ExamGecko
Question list
Search
Search

List of questions

Search

Related questions











Question 165 - SCS-C02 discussion

Report
Export

A security engineer configures Amazon S3 Cross-Region Replication (CRR) for all objects that are in an S3 bucket in the us-east-1. Region Some objects in this S3 bucket use server-side encryption with AWS KMS keys (SSE-KMS) for encryption at test. The security engineer creates a destination S3 bucket in the us-west-2 Region. The destination S3 bucket is in the same AWS account as the source S3 bucket.

The security engineer also creates a customer managed key in us-west-2 to encrypt objects at rest in the destination S3 bucket. The replication configuration is set to use the key in us-west-2 to encrypt objects in the destination S3 bucket. The security engineer has provided the S3 replication configuration with an IAM role to perform the replication in Amazon S3.

After a day, the security engineer notices that no encrypted objects from the source S3 bucket are replicated to the destination S3 bucket. However, all the unencrypted objects are replicated.

Which combination of steps should the security engineer take to remediate this issue? (Select THREE.)

A.
Change the replication configuration to use the key in us-east-1 to encrypt the objects that are in the destination S3 bucket.
Answers
A.
Change the replication configuration to use the key in us-east-1 to encrypt the objects that are in the destination S3 bucket.
B.
Grant the IAM role the kms. Encrypt permission for the key in us-east-1 that encrypts source objects.
Answers
B.
Grant the IAM role the kms. Encrypt permission for the key in us-east-1 that encrypts source objects.
C.
Grant the IAM role the s3 GetObjectVersionForReplication permission for objects that are in the source S3 bucket.
Answers
C.
Grant the IAM role the s3 GetObjectVersionForReplication permission for objects that are in the source S3 bucket.
D.
Grant the IAM role the kms. Decrypt permission for the key in us-east-1 that encrypts source objects.
Answers
D.
Grant the IAM role the kms. Decrypt permission for the key in us-east-1 that encrypts source objects.
E.
Change the key policy of the key in us-east-1 to grant the kms. Decrypt permission to the security engineer's IAM account.
Answers
E.
Change the key policy of the key in us-east-1 to grant the kms. Decrypt permission to the security engineer's IAM account.
F.
Grant the IAM role the kms Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket.
Answers
F.
Grant the IAM role the kms Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket.
Suggested answer: B, E, F

Explanation:

To enable S3 Cross-Region Replication (CRR) for objects that are encrypted with SSE-KMS, the following steps are required:

Grant the IAM role the kms.Decrypt permission for the key in us-east-1 that encrypts source objects. This will allow the IAM role to decrypt the source objects before replicating them to the destination bucket. The kms.Decrypt permission must be granted in the key policy of the source KMS key or in an IAM policy attached to the IAM role.

Grant the IAM role the kms.Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket. This will allow the IAM role to encrypt the replica objects with the destination KMS key before storing them in the destination bucket. The kms.Encrypt permission must be granted in the key policy of the destination KMS key or in an IAM policy attached to the IAM role.

This solution will remediate the issue of encrypted objects not being replicated to the destination bucket.

The other options are incorrect because they either do not grant the necessary permissions for CRR (A, C, D), or do not use a valid encryption method for CRR (E).

Verified

Reference:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html

asked 16/09/2024
Preetham Pakhala
29 questions
User
Your answer:
0 comments
Sorted by

Leave a comment first