Amazon Exam DBS-C01 Topic 1 Question 84 Discussion

Actual exam question for Amazon's DBS-C01 exam

Question #: 84
Topic #: 1

A company uses an Amazon Redshift cluster to run its analytical workloads. Corporate policy requires that the company's data be encrypted at rest with customer managed keys. The company's disaster recovery plan requires that backups of the cluster be copied into another AWS Region on a regular basis.

How should a database specialist automate the process of backing up the cluster data in compliance with these policies?

ACopy the AWS Key Management Service (AWS KMS) customer managed key from the source Region to the destination Region. Set up an AWS Glue job in the source Region to copy the latest snapshot of the Amazon Redshift cluster from the source Region to the destination Region. Use a time-based schedule in AWS Glue to run the job on a daily basis.

BCreate a new AWS Key Management Service (AWS KMS) customer managed key in the destination Region. Create a snapshot copy grant in the destination Region specifying the new key. In the source Region, configure cross-Region snapshots for the Amazon Redshift cluster specifying the destination Region, the snapshot copy grant, and retention periods for the snapshot.

CCopy the AWS Key Management Service (AWS KMS) customer-managed key from the source Region to the destination Region. Create Amazon S3 buckets in each Region using the keys from their respective Regions. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule an AWS Lambda function in the source Region to copy the latest snapshot to the S3 bucket in that Region. Configure S3 Cross-Region Replication to copy the snapshots to the destination Region, specifying the source and destination KMS key IDs in the replication configuration.

DUse the same customer-supplied key materials to create a CMK with the same private key in the destination Region. Configure cross-Region snapshots in the source Region targeting the destination Region. Specify the corresponding CMK in the destination Region to encrypt the snapshot.

Show Suggested Answer

Suggested Answer: B

According to the Amazon Redshift documentation1, you can enable database encryption for your clusters to help protect data at rest. You can use either AWS Key Management Service (AWS KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys.

To copy encrypted snapshots across Regions, you need to create a snapshot copy grant in the destination Region and specify a CMK in that Region. You also need to configure cross-Region snapshots in the source Region and provide the destination Region, the snapshot copy grant, and retention periods for the snapshots. This way, you can automate the process of backing up the cluster data in compliance with the corporate policies.

by Nicolette at Dec 26, 2023, 09:25 PM

Limited Time Offer

25%

Off

Get Premium DBS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Nathan

8 days ago

Alright, I think we've got a good handle on this one. Let's go with either Option B or C as the most robust and compliant solutions. What do you all think?

upvoted 0 times

...

Craig

9 days ago

Yeah, that would be way too straightforward. Where's the fun in that? I'm glad the options are a bit more involved, it really makes us think through the different approaches.

upvoted 0 times

...

Billi

11 days ago

Hah, can you imagine if the answer was Option D? 'Use the same customer-supplied key materials to create a CMK with the same private key in the destination Region.' That would just be too easy, right?

upvoted 0 times

...

Leatha

12 days ago

Sounds good to me. Now let's just hope the real exam question isn't something completely unexpected, like 'What's the square root of 42?' or something equally random.

upvoted 0 times

...