Amazon Exam SCS-C02 Topic 5 Question 14 Discussion

Actual exam question for Amazon's SCS-C02 exam

Question #: 14
Topic #: 5

A company runs workloads in the us-east-1 Region. The company has never deployed resources to other AWS Regions and does not have any multi-Region resources.

The company needs to replicate its workloads and infrastructure to the us-west-1 Region.

A security engineer must implement a solution that uses AWS Secrets Manager to store secrets in both Regions. The solution must use AWS Key Management Service (AWS KMS) to encrypt the secrets. The solution must minimize latency and must be able to work if only one Region is available.

The security engineer uses Secrets Manager to create the secrets in us-east-1.

What should the security engineer do next to meet the requirements?

AEncrypt the secrets in us-east-1 by using an AWS managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using a new AWS managed KMS key in us-west-1.

BEncrypt the secrets in us-east-1 by using an AWS managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

CEncrypt the secrets in us-east-1 by using a customer managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

DEncrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using the customer managed KMS key from us-east-1.

Show Suggested Answer

Suggested Answer: D

To ensure minimal latency and regional availability of secrets, encrypting secrets in us-east-1 with a customer-managed KMS key and then replicating them to us-west-1 for encryption with the same key is the optimal approach. This method leverages customer-managed KMS keys for enhanced control and ensures that secrets are available in both regions, adhering to disaster recovery principles and minimizing latency by using regional endpoints.

by Amber at Mar 17, 2024, 08:54 PM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Carri

10 days ago

Ah, I see. Option C takes it a step further by using a customer-managed KMS key in us-east-1. That way, we have more control over the encryption key and can potentially simplify the key management process.

upvoted 0 times

...

Annelle

11 days ago

But Option B is also interesting. By having the resources in us-west-1 call the Secrets Manager endpoint in us-east-1, we can avoid the need to replicate the secrets, which could be beneficial for performance and consistency.

upvoted 0 times

...

Lilli

12 days ago

You've got a point there! Managing all those keys could get tricky. Maybe Option B is the way to go - fewer moving parts and still meets the requirements.

upvoted 0 times

...

Noble

13 days ago

Agreed. I think Option B is the most elegant solution here. Minimizing the complexity of the setup while still ensuring availability and low latency seems like the best approach.

upvoted 0 times

...