Topic 1 Question 219
A security engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled.
While testing the solution, the security engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?
The log files fail integrity validation and automatically are marked as unavailable.
The KMS key policy does not grant the security engineer’s IAM user or role permissions to decrypt with it.
The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
An IAM policy applicable to the security engineer’s IAM user or role denies access to the “CloudTrail/” prefix in the Amazon S3 bucket.
ユーザの投票
コメント(1)
- 正解だと思う選択肢: B
KMS Key Policy Permissions: If the KMS key policy does not explicitly grant the necessary decrypt permissions to the security engineer's IAM user or role, they will not be able to read the encrypted log files. This is a common issue when dealing with SSE-KMS encryption. Digest Files: These files are not encrypted with the KMS key, which is why they are readable even if the log files are not. To resolve this, the security engineer should ensure that the KMS key policy includes the appropriate permissions for their IAM user or role to decrypt the log files.
👍 1Pmktechno2024/12/29
シャッフルモード