Q190. A financial services company logs personality identifiable information to its application logs stored in Amazon S3. Due to regulatory compliance requirements the log files must be encrypted at rest. The Security team has

欢迎免费使用小程序搜题/刷题/查看解析,提升学历,成考自考报名,论文代写、论文查重请加客服微信skr-web


Q190. A financial services company logs personality identifiable information to its application logs stored in Amazon S3. Due to regulatory compliance requirements the log files must be encrypted at rest. The Security team has mandated that the company's on-premises hardware security modules (HSMs) be used to generate the CMK material. Which steps should the Solution Architected take to meet these requirements?

A.Create an AWS CloudHSM cluster. Create a new CMK in AWS KMS using AWS_CloudHSM as the source for the key material and an origin of AWS- CLOUDHSM. Enable automatic key rotation on the CMK with a duration of 1 year. Configure a bucket policy on the logging bucket the disallow uploads of unencrypted data and requires that the encryption source be AWS KMS.
B.Provision AN AWS Direct Connect connection ensuring there is no overlap of the RFC 1918 address space between on-premises hardware and the VPC. Configure an AWS bucket policy on the logging bucket requires all objects to be key material and create a unique CMK for each logging event.
C.Create a CMK in AWS KMS with no key material and an origin of EXTERNAL. Import the key material generated from the on-premises HSMs into the CMK using the public key and import token provided by AWS. Configure a bucket policy on the logging bucket that disallows uploads of non- encrypted data and requires that the encryption source be AWS KMS.
D.Create a new CMK in AWS KMS with AWS-provided key material and an origin of AWS-KMS.Disable this CMK and overwrite the key material with the
Material from the on-premises HSM using the public key and import token provided by AWS Re-enable the CMK. Enable automatic key rotation on the CMK with a duration of 1 year. Configure a bucket policy on the logging bucket that disallows uploads of non-encrypted data and requires that the encryption source be AWS KMS.
正确答案C
访客
邮箱
网址

通用的占位符缩略图

人工智能机器人,扫码免费帮你完成工作


  • 自动写文案
  • 自动写小说
  • 马上扫码让Ai帮你完成工作
通用的占位符缩略图

人工智能机器人,扫码免费帮你完成工作

  • 自动写论文
  • 自动写软件
  • 我不是人,但是我比人更聪明,我是强大的Ai
Top