{"id":199,"date":"2021-01-10T10:29:57","date_gmt":"2021-01-10T10:27:31","guid":{"rendered":"https:\/\/exampracticetests.com\/aws\/Security-Specialty_SCS-C01\/aws-certified-security-specialty-scs-c01-question190\/"},"modified":"2021-01-10T10:30:35","modified_gmt":"2021-01-10T10:30:35","slug":"aws-certified-security-specialty-scs-c01-question190","status":"publish","type":"post","link":"https:\/\/exampracticetests.com\/aws\/Security-Specialty_SCS-C01\/aws-certified-security-specialty-scs-c01-question190\/","title":{"rendered":"AWS Certified Security – Specialty SCS-C01 – Question190"},"content":{"rendered":"
An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised.
\nHow can the CISO be assured that AWS KMS and Amazon S3 are addressing the concerns? (Choose two.)

A.<\/strong> There is no API operation to retrieve an S3 object in its encrypted form.
B.<\/strong> Encryption of S3 objects is performed within the secure boundary of the KMS service.
C.<\/strong> S3 uses KMS to generate a unique data key for each individual object.
D.<\/strong> Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.
E.<\/strong> The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out.<\/div>\n

<\/p>\n