New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C02 Exam - Topic 8 Question 11 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 11
Topic #: 8
[All SCS-C02 Questions]

A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred.

What should the Security Engineer do to accomplish this?

Show Suggested Answer Hide Answer
Suggested Answer: C

The correct answer is C. Create rule sets in AWS CloudFormation Guard. Run validation checks for CloudFormation templates as a phase of the CI/CD process.

This answer is correct because AWS CloudFormation Guard is a tool that helps you implement policy-as-code for your CloudFormation templates. You can use Guard to write rules that define your security policies, such as requiring encryption for EBS volumes, and then validate your templates against those rules before deploying them. You can integrate Guard into your CI/CD pipeline as a step that runs the validation checks and prevents the deployment of any non-compliant templates12.

The other options are incorrect because:

A) Turning on AWS Trusted Advisor and configuring security notifications as webhooks in the preferences section of the CI/CD pipeline is not a solution, because AWS Trusted Advisor is not a policy-as-code tool, but a service that provides recommendations to help you follow AWS best practices. Trusted Advisor does not allow you to define your own security policies or validate your CloudFormation templates against them3.

B) Turning on AWS Config and using the prebuilt or customized rules is not a solution, because AWS Config is not a policy-as-code tool, but a service that monitors and records the configuration changes of your AWS resources. AWS Config does not allow you to validate your CloudFormation templates before deploying them, but only evaluates the compliance of your resources after they are created4.

D) Creating rule sets as SCPs and integrating them as a part of validation control in a phase of the CI/CD process is not a solution, because SCPs are not policy-as-code tools, but policies that you can use to manage permissions in your AWS Organizations. SCPs do not allow you to validate your CloudFormation templates, but only restrict the actions that users and roles can perform in your accounts5.


1: What is AWS CloudFormation Guard? 2: Introducing AWS CloudFormation Guard 2.0 3: AWS Trusted Advisor 4: What Is AWS Config? 5: Service control policies - AWS Organizations

by Ma at Jan 26, 2024, 01:46 PM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Kristofer
3 months ago
Wait, can you really automate key rotation? That’s surprising!
upvoted 0 times
...
Dominga
3 months ago
D sounds interesting, but querying logs can be a hassle.
upvoted 0 times
...
Temeka
4 months ago
C is a bit too manual for my taste.
upvoted 0 times
...
Cassi
4 months ago
I think A is more straightforward for checking logs.
upvoted 0 times
...
Alverta
4 months ago
Option B seems like the best choice for monitoring events.
upvoted 0 times
...
Bettina
4 months ago
I feel like querying CloudTrail logs with Athena could work, but it seems more complicated than just checking the rotation status directly.
upvoted 0 times
...
Bea
4 months ago
I practiced using the CLI commands, but I can't recall if the `get-key-rotation-status` operation is the right one for checking the rotation date.
upvoted 0 times
...
Desirae
4 months ago
I think monitoring CloudWatch Events for KMS CMK rotation sounds familiar. It might give real-time alerts, which could be useful.
upvoted 0 times
...
Hector
5 months ago
I remember we discussed using CloudTrail logs to track key rotation events, but I'm not sure if filtering them is the best approach.
upvoted 0 times
...
Huey
5 months ago
Ah, this is a good one. I think I'll go with option A and filter the CloudTrail logs for the KeyRotation events. That should give me a clear audit trail of the key rotations.
upvoted 0 times
...
Lisbeth
5 months ago
Option C looks promising - using the IAM CLI to check the key rotation status directly. That seems like a reliable way to verify the rotation has occurred as required.
upvoted 0 times
...
Nguyet
5 months ago
This seems like a straightforward question about verifying key rotation. I think I'll go with option B and monitor CloudWatch events for any KMS CMK rotation events.
upvoted 0 times
...
Denny
5 months ago
Hmm, I'm a bit unsure about this one. I'm trying to decide between options A and D. I'm leaning towards D to use Athena to query the CloudTrail logs, but I'll need to double-check the details on that approach.
upvoted 0 times
...
Chantell
5 months ago
Hmm, I'm a bit unsure about this one. The options seem to cover different types of static analysis, but I'm not entirely clear on how they relate to identifying definition-use pairs. I'll need to think this through carefully.
upvoted 0 times
...
Latrice
5 months ago
I'm pretty sure Azure HDInsight and Azure Databricks can be used to provision Apache Spark clusters, but I'm not sure about the other options.
upvoted 0 times
...
Laura
5 months ago
Ah, I remember learning about this in class. The authorized_keys file is where you store the public keys for users who are allowed to authenticate via SSH. Definitely going with D for this one.
upvoted 0 times
...
Yolande
5 months ago
Hmm, I'm a bit unsure about the differences between asynchronous and synchronous replication. I'll need to think that through carefully.
upvoted 0 times
...
Charlene
9 months ago
I hope the correct answer doesn't involve any 'black magic' or 'voodoo' ceremonies to verify the key rotation. That would be a bit too much for a security engineer, don't you think?
upvoted 0 times
...
Annamae
9 months ago
A) Filtering CloudTrail logs for KeyRotation events is a valid approach, but it might not be as efficient as monitoring CloudWatch Events.
upvoted 0 times
...
Zita
9 months ago
D) Querying CloudTrail logs with Athena is a good option, but it might be overkill for this use case. It could be a bit more complex to set up.
upvoted 0 times
Vi
8 months ago
Set up CloudWatch Events to trigger notifications on key rotation events
upvoted 0 times
...
Dorothea
8 months ago
Use AWS Config to monitor key rotation compliance
upvoted 0 times
...
Marg
9 months ago
Verify the key rotation status using AWS CloudTrail logs
upvoted 0 times
...
Cathern
9 months ago
Check the key rotation status in the AWS Key Management Service console
upvoted 0 times
...
...
Jutta
9 months ago
C) Using the IAM CLI to check the CMK rotation date seems like the most direct approach. I like that it gives you the specific details you need.
upvoted 0 times
Rachael
8 months ago
C) Using the IAM CLI, run the IAM kms get-key-rotation-status operation with the --key-id parameter to check the CMK rotation date
upvoted 0 times
...
Jenelle
9 months ago
B) Monitor Amazon CloudWatch Events for any IAM KMS CMK rotation events
upvoted 0 times
...
Lynelle
9 months ago
A) Filter IAM CloudTrail logs for KeyRotation events
upvoted 0 times
...
...
Rosio
10 months ago
B) Monitoring CloudWatch Events seems like the way to go. It's a nice way to get real-time notifications on key rotations.
upvoted 0 times
Tyisha
8 months ago
C) Using the IAM CLI, run the IAM kms get-key-rotation-status operation with the --key-id parameter to check the CMK rotation date
upvoted 0 times
...
Ashanti
8 months ago
B) Monitor Amazon CloudWatch Events for any IAM KMS CMK rotation events
upvoted 0 times
...
Dulce
8 months ago
A) Filter IAM CloudTrail logs for KeyRotation events
upvoted 0 times
...
Leoma
9 months ago
C) Using the IAM CLI, run the IAM kms get-key-rotation-status operation with the --key-id parameter to check the CMK rotation date
upvoted 0 times
...
Johnetta
9 months ago
B) Monitor Amazon CloudWatch Events for any IAM KMS CMK rotation events
upvoted 0 times
...
Cassie
10 months ago
A) Filter IAM CloudTrail logs for KeyRotation events
upvoted 0 times
...
...
Angelica
11 months ago
That's a good point, Chan. Checking the CloudTrail logs does provide a detailed history. It's important to have a solid audit trail for compliance purposes.
upvoted 0 times
...
Chan
11 months ago
I disagree, I believe option A is more reliable. Filtering IAM CloudTrail logs for KeyRotation events will give us a clear record of when the rotation occurred.
upvoted 0 times
...
Angelica
11 months ago
I think option B is the best choice. Monitoring CloudWatch Events seems like the most direct way to verify key rotation.
upvoted 0 times
...

Save Cancel