A company's containerized application runs on an Amazon EC2 instance. The application needs to download security certificates before it can communicate with other business applications. The company wants a highly secure solution to encrypt and decrypt the certificates in near real time. The solution also needs to store data in highly available storage after the data is encrypted.
Which solution will meet these requirements with the LEAST operational overhead?
The company needs a solution that is highly secure, provides encryption and decryption in near real time, and stores the data in a highly available storage system. Creating an AWS KMS customer managed key allows for secure key storage and encryption/decryption operations with minimal operational overhead. Amazon S3 provides highly available and scalable storage, which meets the requirement for storing encrypted data. The combination of AWS KMS and S3 ensures both security and availability, while keeping operational overhead low.
C makes a better sense. Between C (S3) and D (EBS), S3 is highly available with LEAST operational overhead.
Agree, also the data in EBS will be accessible only to the EC2 instance and that is not as available as S3 would be.
Correct Answer is C: EBS is not highly available
Yes it is!
Per AWS: "Amazon EBS volumes are designed to be highly available, reliable, and durable" https://aws.amazon.com/ebs/features/
EBS is Highly Available as it stores in multi AZ and S3 is regional.
EBS also has Multi-AZ capability, but it does not replicate the data across multiple availability zones by default. When Multi-AZ is enabled, it creates a replica of the EBS volume in a different availability zone and automatically failover to the replica in case of a failure. However, this requires additional configuration and management. In comparison, Amazon S3 automatically replicates data across multiple availability zones without any additional configuration. Therefore, storing the data on Amazon S3 provides a simpler and more efficient solution for high availability.
This is false. There is no AWS-provided functionality that will replicate EBS volumes across AZs. There are 3rd-party solutions to this, but that's not what's being asked here. EBS is only replicated WITHIN an AZ by default.
S3 is also highly available. Within the region, but still. Multi-AZ = HA.
This is false... S3 is Multi AZ and EBS is only replicated WITHIN an AZ by default.
AWS KMS: Provides a managed service for secure key storage and encryption/decryption operations. This eliminates the need to manage encryption/decryption logic within the application itself. Customer Managed Key: The company maintains control over the key, ensuring security. EC2 Role Permissions: Granting permissions to the EC2 role allows the application to use KMS for encryption/decryption without managing individual credentials. Amazon S3: Offers highly available and scalable storage for the encrypted certificates. S3 is generally cheaper than EBS for data that is not frequently accessed.
A - does not mention storing the encrypted data at all (though that is a requirement), also involves manual action which is surely NOT "least operational effort" B - Doesn't make any sense C - Yes, S3 meets the requirements and is easy to access from containerized app D - EBS volumes are mounted to the container host, but data is created on containers
C is the most efficient.
C for sure
S3: highly available EBS: lower latency
"Amazon S3 is an object storage service that can store large volumes of unstructured data, whereas Amazon EBS is a block storage service that is ideally suited for durable, low-latency data storage associated with EC2 instances." https://www.tutorialspoint.com/difference-between-amazon-s3-and-amazon-ebs#:~:text=In%20conclusion%2C%20Amazon%20S3%20is,storage%20associated%20with%20EC2%20instances. Seems like D to me. S3 is for large data, EBS is ec2 specific.
The language is confusing over here so I'm going by process of elimination A: Wrong because manual operation and fine grained IAM is overhead B: What? D: Between C and D S3 is more HA than EFS so C wins
Sorry meant EBS, not EFS for D D: Between C and D, S3 is more HA than EBS. So C wins
I would select D. you can mount a single Amazon Elastic Block Store (EBS) volume to multiple Docker containers running on the same Amazon Elastic Compute Cloud (EC2) instance. . you can store data from a container running on Amazon Elastic Compute Cloud (EC2) to an Amazon Simple Storage Service (S3) bucket. One way to do this is to use the aws s3 cp command in the command line of the EC2 instance.
A is OK secrets manager: - is highly available - you can store custom secrets in it like certificate - automatically encrypts secrets at rest, and can be configured for encryption in transit - downloading certificate from it is less operational overhead than decrypting it manually with KMS key arguments againts it that this is more manual than C and D? this manual step is necessary measure and can't be omitted in other options C and D have this "store the encrypted data in..." to store encrypted certificate you have to: log in to instance, get kms key, get certificate, encrypt it, and load that data this is more operational overhead
"Least operational overhead" and "manually" (as in A) usually don't go together. Also, A does not say anything about storing the data (which is a requirement). "C and D have this 'store the encrypted data in'" yes, exactly, the encrypted data, NOT the certificate. You encrypt data with the certificate, and you want to store THAT encrypted data.
"C" is more correct because S3 is more efficient and cheaper to store data like certificates, like this case. Also Option D involves using Amazon Elastic Block Store (Amazon EBS) volumes, which is not typically used for storing certificates and may introduce unnecessary complexity and operational overhead.
confused between EBS and S3, both are HA, but location?
C. when it comes to availability, Amazon S3 is generally more highly available than Amazon EBS because S3 replicates data across multiple AZs by default, providing greater resilience to failures. However, the choice between S3 and EBS depends on your specific use case and whether you need block storage for EC2 instances (EBS) or object storage for storing and retrieving data (S3).
I selected D, even though S3 has high availability to 11 9’s. The question started with EC2 Instance. EBS provides block level storage that is attached to EC2 Instances. They are also designed for High Availability.
Option C is the best solution that meets all the requirements with the least operational overhead: Use AWS KMS customer managed key for encryption Allow EC2 instance role access to use the KMS key Store encrypted data in Amazon S3
All data within EBS is stored in equally sized blocks. This system offers some performance advantages over traditional storage, and generally boasts lower latency, too. This would meet the near real time requirement over the S3 option