Which combination of steps should the security engineer take to remediate this issue?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A security engineer configures Amazon S3 Cross-Region Replication (CRR) for all objects that are in an S3 bucket in the us-east-1 Region.Some objects in this S3 bucket use server-side encryption with AWS KMS keys (SSE-KMS) for encryption at rest.The security engineer creates a destination S3 bucket in the us-west-2 Region.The destination S3 bucket is in the same AWS account as the source S3 bucket.The security engineer also creates a customer managed key in us-west-2 to encrypt objects at rest in the destination S3 bucket.The replication configuration is set to use the key in us-west-2 to encrypt objects in the destination S3 bucket.The security engineer has provided the S3 replication configuration with an IAM role to perform the replication in Amazon S3.After a day, the security engineer notices that no encrypted objects from the source S3 bucket are replicated to the destination S3 bucket.However, all the unencrypted objects are replicated.

Which combination of steps should the security engineer take to remediate this issue?

(Choose three.)

Change the replication configuration to use the key in us-east-1 to encrypt the objects that are in the destination S3 bucket.

Grant the IAM role the kms:Encrypt permission for the key in us-east-1 that encrypts source objects.

Grant the IAM role the s3:GetObjectVersionForReplication permission for objects that are in the source S3 bucket.

Grant the IAM role the kms:Decrypt permission for the key in us-east-1 that encrypts source objects.

Change the key policy of the key in us-east-1 to grant the kms:Decrypt permission to the security engineer’s IAM account.

Grant the IAM role the kms:Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket.

Leave a Reply

Your email address will not be published. Required fields are marked *

nine − seven =