AWS Certified SysOps Administrator SOA-C01 – Question479

You need to determine what encryption operations were taken with which key in AWS KMS to ei-ther encrypt or decrypt data in the AWS CodeCommit repository. Which of the following actions will best help you accomplish this?

A.
Searching for the AWS CodeCommit repository ID in AWS CloudTrail logs
B. Searching for the encryption key ID in AWS CloudTrail logs
C. Searching for the AWS CodeCommit repository ID in AWS CloudWatch
D. Searching for the encryption key ID in AWS CloudWatch

Correct Answer: A

Explanation:

Explanation: The encryption context is additional authenticated information AWS KMS uses to check for data integrity. When specified for the encryption operation, it must also be specified in the decryption operation or decryption will fail. AWS CodeCommit uses the AWS CodeCommit repository ID for the encryption context. You can find the repository ID by using the get-repository command or by viewing repository details in the AWS CodeCommit console. Search for the AWS CodeCommit repository ID in AWS CloudTrail logs to understand which encryption operations were taken on which key in AWS KMS to encrypt or decrypt data in the AWS CodeCommit repository. Reference: http://docs.aws.amazon.com/codecommit/latest/userguide/encryption.html