(Choose two.)
A. Call
UploadServerCertificate
with
/cloudfront/dev/
in the path parameter.
B.
Import the certificate with a 4,096-bit RSA public key.
C.
Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.
D.
Import the certificate in the us-east-1 (N. Virginia) Region.
E.
Ensure that the certificate, private key, and certificate chain are PEM-encoded.
3A52A51D4DDEDF2CE379291908AA5BBD
QUESTION 139
A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket
examplebucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to
limit access to each IAM user can access an assigned folder only.
What should the Security Engineer do to achieve this?
A.
Use envelope encryption with the AWS-managed CMK aws/s3.
B.
Create a customer-managed CMK with a key policy granting “kms:Decrypt” based on the
“${aws:username}” variable.
C.
Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key
policy.
D.
Change the applicable IAM policy to grant S3 access to “Resource”:
“arn:aws:s3:::examplebucket/${aws:username}/*”
You've reached the end of your free preview.
Want to read all 51 pages?
- Fall '19
- AWS, Amazon Elastic Compute Cloud
