Amazon Exam SCS-C02 Topic 7 Question 22 Discussion

Actual exam question for Amazon's SCS-C02 exam

Question #: 22
Topic #: 7

A company wants to configure DNS Security Extensions (DNSSEC) for the company's primary domain. The company registers the domain with Amazon Route 53. The company hosts the domain on Amazon EC2 instances by using BIND.

What is the MOST operationally efficient solution that meets this requirement?

ASet the dnssec-enable option to yes in the BIND configuration. Create a zone-signing key (ZSK) and a key-signing key (KSK) Restart the BIND service.

BMigrate the zone to Route 53 with DNSSEC signing enabled. Create a zone-signing key (ZSK) and a key-signing key (KSK) that are based on an AWS. Key Management Service (AWS KMS) customer managed key.

CSet the dnssec-enable option to yes in the BIND configuration. Create a zone-signing key (ZSK) and a key-signing key (KSK). Run the dnssec-signzone command to generate a delegation signer (DS) record Use AWS. Key Management Service (AWS KMS) to secure the keys.

DMigrate the zone to Route 53 with DNSSEC signing enabled. Create a key-signing key (KSK) that is based on an AWS Key Management Service (AWS KMS) customer managed key. Add a delegation signer (DS) record to the parent zone.

Show Suggested Answer

Suggested Answer: C

In an AWS environment where a VPC has no internet access and requires communication with AWS services such as Secrets Manager, the most secure method is to use an interface VPC endpoint (AWS PrivateLink). This allows private connectivity to services like Secrets Manager, enabling AWS Lambda functions and other resources within the VPC to access Secrets Manager without requiring an internet gateway, NAT gateway, or VPN connection. Interface VPC endpoints are powered by AWS PrivateLink, a technology that enables private connectivity between AWS services using Elastic Network Interfaces (ENI) with private IPs in your VPCs. This option is more secure than creating a NAT gateway because it doesn't expose the resources to the internet and adheres to the principle of least privilege by providing direct access to only the required service.

by Aracelis at Jun 30, 2024, 03:29 PM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Luisa

1 months ago

I'd choose Option B. Migrating to Route 53 is like hiring a bouncer for your DNS - it'll keep the bad guys out while you kick back and relax.

upvoted 0 times

Ammie

3 days ago

Definitely, migrating to Route 53 with DNSSEC signing enabled is a smart move. It's like having a bodyguard for your DNS.

upvoted 0 times

...

Salena

8 days ago

I agree, Option B seems like the most efficient solution. It's like adding an extra layer of protection to your domain.

upvoted 0 times

...

Gilma

16 days ago

Option B sounds like a solid choice. Route 53 with DNSSEC signing enabled is like having a security guard for your domain.

upvoted 0 times

...

Ezekiel

1 months ago

Option B is the way to go. Who wants to mess with BIND configuration and manual key management when you can let Route 53 handle it all?

upvoted 0 times

...

Malinda

1 months ago

Option C looks good, but using AWS KMS to secure the keys might be overkill for a small company. I'd keep it simple with Option A.

upvoted 0 times

...

Serina

2 months ago

That's a valid point, Orville. Option B does seem to simplify the process by leveraging AWS services for key management. It could be a more secure and scalable solution.

upvoted 0 times

...

Latricia

2 months ago

I'd go with Option D. Migrating to Route 53 with DNSSEC and using AWS KMS for the KSK is a straightforward way to meet the requirement.

upvoted 0 times

Jesusa

16 days ago

I agree, migrating to Route 53 with DNSSEC enabled and using AWS KMS for the KSK sounds like a good solution.

upvoted 0 times

...

Yuette

19 days ago

Option D sounds like the best choice. Using AWS KMS for the KSK seems like a secure option.

upvoted 0 times

...

Jospeh

2 months ago

Option B seems the most operationally efficient solution. Migrating the zone to Route 53 with DNSSEC signing enabled and using AWS KMS for the keys is a secure and managed approach.

upvoted 0 times

...

Orville

2 months ago

I disagree, I believe option B is more efficient. Migrating the zone to Route 53 with DNSSEC signing enabled and using AWS KMS for key management seems like a better approach.

upvoted 0 times

...