Amazon SCS-C02 Exam - Topic 5 Question 14 Discussion

Actual exam question for Amazon's SCS-C02 exam

Question #: 14
Topic #: 5

A company runs workloads in the us-east-1 Region. The company has never deployed resources to other AWS Regions and does not have any multi-Region resources.

The company needs to replicate its workloads and infrastructure to the us-west-1 Region.

A security engineer must implement a solution that uses AWS Secrets Manager to store secrets in both Regions. The solution must use AWS Key Management Service (AWS KMS) to encrypt the secrets. The solution must minimize latency and must be able to work if only one Region is available.

The security engineer uses Secrets Manager to create the secrets in us-east-1.

What should the security engineer do next to meet the requirements?

AEncrypt the secrets in us-east-1 by using an AWS managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using a new AWS managed KMS key in us-west-1.

BEncrypt the secrets in us-east-1 by using an AWS managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

CEncrypt the secrets in us-east-1 by using a customer managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

DEncrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using the customer managed KMS key from us-east-1.

Show Suggested Answer

Suggested Answer: D

To ensure minimal latency and regional availability of secrets, encrypting secrets in us-east-1 with a customer-managed KMS key and then replicating them to us-west-1 for encryption with the same key is the optimal approach. This method leverages customer-managed KMS keys for enhanced control and ensures that secrets are available in both regions, adhering to disaster recovery principles and minimizing latency by using regional endpoints.

by Amber at Mar 17, 2024, 08:54 PM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Twana

3 months ago

Wait, can Secrets Manager even replicate like that? Sounds risky!

upvoted 0 times

...

Heike

3 months ago

D sounds good, but can we really use the same KMS key across regions?

upvoted 0 times

...

Mitzie

3 months ago

C is interesting, but calling the endpoint in us-east-1 could add latency.

upvoted 0 times

...

Justine

4 months ago

I think B is the way to go! Less complexity.

upvoted 0 times

...

Dana

4 months ago

Option A seems solid, but why create a new KMS key in us-west-1?

upvoted 0 times

...

Jarod

4 months ago

I recall that using a customer managed KMS key allows for more flexibility, but I'm not sure if we should replicate the secrets or just access them from us-east-1. Option D seems to cover both bases, but it feels a bit complex.

upvoted 0 times

...

Verona

4 months ago

I’m a bit confused about whether we need to replicate the secrets or just reference them across regions. I thought we were supposed to use customer managed keys for better control.

upvoted 0 times

...

Nikita

4 months ago

I think we practiced a similar question where we had to replicate secrets across regions. I feel like option B might be the right choice since it minimizes latency by calling the endpoint directly.

upvoted 0 times

...

Sharika

5 months ago

I remember we discussed the importance of using KMS keys for encryption, but I'm not sure if we should use managed or customer managed keys in this case.

upvoted 0 times

...

Carlota

5 months ago

This seems straightforward enough. I'll encrypt the secrets in us-east-1 using an AWS-managed KMS key, then just configure the resources in us-west-1 to call the Secrets Manager endpoint in us-east-1. That should meet the requirements.

upvoted 0 times

...

Nickole

5 months ago

I'm a bit confused on the best approach here. Should I use a customer-managed KMS key instead of the AWS-managed one? And how do I ensure the solution can work if only one Region is available?

upvoted 0 times

...

Rasheeda

5 months ago

Okay, I think I've got a strategy. I'll start by encrypting the secrets in us-east-1 using an AWS-managed KMS key. Then I'll need to figure out the best way to replicate those secrets to us-west-1 while maintaining the encryption.

upvoted 0 times

...

India

5 months ago

Hmm, the key here seems to be how to replicate the secrets to the other Region while maintaining the encryption. I'll need to think through the options carefully.

upvoted 0 times

...

Xenia

5 months ago

This looks like a tricky one. I'll need to carefully consider the requirements around latency, multi-Region availability, and the use of AWS Secrets Manager and KMS.

upvoted 0 times

...

Pamella

5 months ago

Hmm, this seems like a tricky one. I'll need to carefully read through the options and think about which statement is incorrect.

upvoted 0 times

...

Glenn

5 months ago

Ah, I see what they're getting at. Requirements management is the overall process for controlling changes to requirements, so that's likely the best answer. I'll mark that one down.

upvoted 0 times

...

Keneth

5 months ago

I think redesigning the architecture to limit CA access might solve the latency issue, but isn't there a risk in terms of not checking for revoked certificates frequently?

upvoted 0 times

...

Wilbert

5 months ago

Okay, I've got this. I just need to calculate the mean, then find the deviations from the mean, square them, and take the square root. Piece of cake!

upvoted 0 times

...

Willow

5 months ago

Hmm, this is an odd one. I'm not entirely sure what the right approach is here. I'll have to think it through carefully and try to eliminate any options that don't make sense.

upvoted 0 times

...

Chau

2 years ago

I see your point, Beckie. Maybe using a customer managed KMS key and replicating to us-west-1 with the same key would be a better option.

upvoted 0 times

...

Shelton

2 years ago

That's a good point, Beckie. Using a customer managed KMS key might offer more control over the encryption process.

upvoted 0 times

...

Beckie

2 years ago

But wouldn't it be better to use a customer managed KMS key instead of AWS managed KMS key for encryption in us-east-1?

upvoted 0 times

...

Chau

2 years ago

I agree with Shelton. Encrypting in us-east-1 by using AWS managed KMS key is the way to go to meet the requirements.

upvoted 0 times

...

Shelton

2 years ago

I think the security engineer should encrypt the secrets in us-east-1 by using an AWS managed KMS key and then replicate the secrets to us-west-1.

upvoted 0 times

...

Kayleigh

2 years ago

That's a good point, Mollie. Maybe they should consider encrypting in both Regions using AWS managed KMS keys to meet those requirements.

upvoted 0 times

...

Mollie

2 years ago

But what about minimizing latency and ensuring availability if only one Region is available? Shouldn't they encrypt in both Regions using new AWS managed KMS keys?

upvoted 0 times

...

Moon

2 years ago

I agree with that. It's important to use AWS managed KMS keys for encryption to ensure security and compliance.

upvoted 0 times

...

Kayleigh

2 years ago

I think the security engineer should encrypt the secrets in us-east-1 by using an AWS managed KMS key. Then replicate the secrets to us-west-1.

upvoted 0 times

...

Carri

2 years ago

Ah, I see. Option C takes it a step further by using a customer-managed KMS key in us-east-1. That way, we have more control over the encryption key and can potentially simplify the key management process.

upvoted 0 times

...

Annelle

2 years ago

But Option B is also interesting. By having the resources in us-west-1 call the Secrets Manager endpoint in us-east-1, we can avoid the need to replicate the secrets, which could be beneficial for performance and consistency.

upvoted 0 times

Jose

2 years ago

D: Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using the customer managed KMS key from us-east-1.

upvoted 0 times

...

Ma

2 years ago

C: Encrypt the secrets in us-east-1 by using a customer managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

upvoted 0 times

...

Aliza

2 years ago

A: But Option B is also interesting. By having the resources in us-west-1 call the Secrets Manager endpoint in us-east-1, we can avoid the need to replicate the secrets, which could be beneficial for performance and consistency.

upvoted 0 times

...

Kallie

2 years ago

B: Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

upvoted 0 times

...

Lavonna

2 years ago

A: Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using a new AWS managed KMS key in us-west-1.

upvoted 0 times

...

Lilli

2 years ago

You've got a point there! Managing all those keys could get tricky. Maybe Option B is the way to go - fewer moving parts and still meets the requirements.

upvoted 0 times

...

Noble

2 years ago

Agreed. I think Option B is the most elegant solution here. Minimizing the complexity of the setup while still ensuring availability and low latency seems like the best approach.

upvoted 0 times

...