Fatskills
Practice. Master. Repeat.
Study Guide: Selecting Appropriate Data Security Options
Source: https://www.fatskills.com/aws-certified-solutions-architect-associate/chapter/selecting-appropriate-data-security-options

Selecting Appropriate Data Security Options

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~2 min read

1. Which data store is available with AWS as a single tenant by design?
There is no single-tenant data store available with AWS. All data stores at AWS are multi-tenant by design. Protection of data records is carried out by enabling encryption.

2. What is the default state of an S3 bucket regarding public access when the bucket is created?
All public access for a newly created S3 bucket is blocked until each customer makes a decision to make the S3 bucket public.

3. What is the security advantage of using SSE-C encryption with S3 buckets?
SSE-C encryption uses a customer-provided encryption key for both encryption and decryption. The key is discarded after use and must be supplied by the customer each time. Therefore, there is no security risk with stored encryption keys at AWS.

4. Describe the concept of envelope encryption that is used by KMS.
Envelope encryption involves a hierarchy of security when working with KMS. KMS is the master and creates data keys for encryption and decryption that are associated with a specific CMK. The keys cannot work with any other CMK and are controlled by KMS.

5. What type of data stored at AWS is automatically encrypted?
S3 Glacier objects are automatically encrypted when stored in vaults.

6. Why is CloudHSM chosen by companies that need to adhere to an elevated compliance standard?
CloudHSM is a hardware storage module that is maintained by AWS. AWS backs up the contents of CloudHSM, but the only person who can access the contents is the assigned customer.

7. How does KMS carry out automatic key rotation for imported keys?    
KMS does not support the rotation of private keys that were imported.

8. Where can private CAs created by Amazon Certificate Manager be deployed?
A private CA can be used to create a private CA that can renew and deploy certificates for private-facing resources such as a network load balancer deployed on private subnets.



ADVERTISEMENT