Amazon Exam DBS-C01 Topic 4 Question 82 Discussion

Actual exam question for Amazon's DBS-C01 exam

Question #: 82
Topic #: 4

A company uses an Amazon Redshift cluster to run its analytical workloads. Corporate policy requires that the company's data be encrypted at rest with customer managed keys. The company's disaster recovery plan requires that backups of the cluster be copied into another AWS Region on a regular basis.

How should a database specialist automate the process of backing up the cluster data in compliance with these policies?

ACopy the AWS Key Management Service (AWS KMS) customer managed key from the source Region to the destination Region. Set up an AWS Glue job in the source Region to copy the latest snapshot of the Amazon Redshift cluster from the source Region to the destination Region. Use a time-based schedule in AWS Glue to run the job on a daily basis.

BCreate a new AWS Key Management Service (AWS KMS) customer managed key in the destination Region. Create a snapshot copy grant in the destination Region specifying the new key. In the source Region, configure cross-Region snapshots for the Amazon Redshift cluster specifying the destination Region, the snapshot copy grant, and retention periods for the snapshot.

CCopy the AWS Key Management Service (AWS KMS) customer-managed key from the source Region to the destination Region. Create Amazon S3 buckets in each Region using the keys from their respective Regions. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule an AWS Lambda function in the source Region to copy the latest snapshot to the S3 bucket in that Region. Configure S3 Cross-Region Replication to copy the snapshots to the destination Region, specifying the source and destination KMS key IDs in the replication configuration.

DUse the same customer-supplied key materials to create a CMK with the same private key in the destination Region. Configure cross-Region snapshots in the source Region targeting the destination Region. Specify the corresponding CMK in the destination Region to encrypt the snapshot.

Show Suggested Answer

Suggested Answer: B

According to the Amazon Redshift documentation1, you can enable database encryption for your clusters to help protect data at rest. You can use either AWS Key Management Service (AWS KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys.

To copy encrypted snapshots across Regions, you need to create a snapshot copy grant in the destination Region and specify a CMK in that Region. You also need to configure cross-Region snapshots in the source Region and provide the destination Region, the snapshot copy grant, and retention periods for the snapshots. This way, you can automate the process of backing up the cluster data in compliance with the corporate policies.

by Hermila at Nov 24, 2023, 08:01 AM

Limited Time Offer

25%

Off

Get Premium DBS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Vincent

2 days ago

I'm not a big fan of option A. Copying the KMS key between regions just sounds like a security nightmare waiting to happen.

upvoted 0 times

...

Susana

3 days ago

Option C is also interesting, using S3 buckets and cross-region replication. That way we don't have to worry about copying the KMS key itself.

upvoted 0 times

...

Margo

4 days ago

Haha, yeah, no kidding. Imagine if someone accidentally deleted that key - goodbye data!

upvoted 0 times

...

Thora

5 days ago

Hmm, this is a tricky question. We need to make sure the backup process is fully compliant with the company's policies on data encryption and cross-region backups.

upvoted 0 times

...