{"id":296,"date":"2022-02-09T05:50:31","date_gmt":"2022-02-09T05:50:31","guid":{"rendered":"https:\/\/exampracticetests.com\/aws\/Security-Specialty_SCS-C01\/aws-certified-security-specialty-scs-c01-question230\/"},"modified":"2022-02-09T05:50:31","modified_gmt":"2022-02-09T05:50:31","slug":"aws-certified-security-specialty-scs-c01-question230","status":"publish","type":"post","link":"https:\/\/exampracticetests.com\/aws\/Security-Specialty_SCS-C01\/aws-certified-security-specialty-scs-c01-question230\/","title":{"rendered":"AWS Certified Security – Specialty SCS-C01 – Question230"},"content":{"rendered":"
A company wants to encrypt data locally while meeting regulatory requirements related to key exhaustion.
\nThe encryption key can be no more than 10 days old or encrypt more than 2^16 objects. Any encryption key must be generated on a FIPS-validated hardware security module (HSM). The company is cost-conscious, as it plans to upload an average of 100 objects to Amazon S3 each second for sustained operations across 5 data producers.
\nWhich approach MOST efficiently meets the company's needs?

A.<\/strong> Use the AWS Encryption SDK and set the maximum age to 10 days and the maximum number of messages encrypted to 2^16. Use AWS Key Management Service (AWS KMS) to generate the master key and data key. Use data key caching with the Encryption SDK during the encryption process.
B.<\/strong> Use AWS Key Management Service (AWS KMS) to generate an AWS managed CMK. Then use Amazon S3 client-side encryption configured to automatically rotate with every object.
C.<\/strong> Use AWS CloudHSM to generate the master key and data keys. Then use Boto 3 and Python to locally encrypt data before uploading the object. Rotate the data key every 10 days or after 2^16 objects have been uploaded to Amazon S3.
D.<\/strong> Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and set the master key to automatically rotate.<\/div>\n

<\/p>\n