Examice

Exam SAA-C03 All QuestionsBrowse all questions from this exam

Question 793

A company has a mobile app for customers. The app’s data is sensitive and must be encrypted at rest. The company uses AWS Key Management Service (AWS KMS).

The company needs a solution that prevents the accidental deletion of KMS keys. The solution must use Amazon Simple Notification Service (Amazon SNS) to send an email notification to administrators when a user attempts to delete a KMS key.

Which solution will meet these requirements with the LEAST operational overhead?

Create an Amazon EventBridge rule that reacts when a user tries to delete a KMS key. Configure an AWS Config rule that cancels any deletion of a KMS key. Add the AWS Config rule as a target of the EventBridge rule. Create an SNS topic that notifies the administrators.

Create an AWS Lambda function that has custom logic to prevent KMS key deletion. Create an Amazon CloudWatch alarm that is activated when a user tries to delete a KMS key. Create an Amazon EventBridge rule that invokes the Lambda function when the DeleteKey operation is performed. Create an SNS topic. Configure the EventBridge rule to publish an SNS message that notifies the administrators.

Create an Amazon EventBridge rule that reacts when the KMS DeleteKey operation is performed. Configure the rule to initiate an AWS Systems Manager Automation runbook. Configure the runbook to cancel the deletion of the KMS key. Create an SNS topic. Configure the EventBridge rule to publish an SNS message that notifies the administrators.

Create an AWS CloudTrail trail. Configure the trail to deliver logs to a new Amazon CloudWatch log group. Create a CloudWatch alarm based on the metric filter for the CloudWatch log group. Configure the alarm to use Amazon SNS to notify the administrators when the KMS DeleteKey operation is performed.

Correct Answer: C

To prevent the accidental deletion of KMS keys with minimal operational overhead, the most efficient solution is to create an Amazon EventBridge rule that reacts specifically to the KMS DeleteKey operation. This rule can then initiate an AWS Systems Manager Automation runbook to cancel the deletion. An SNS topic can be used to notify administrators when an attempt to delete a KMS key is made. This approach utilizes AWS's pre-built automation capabilities to ensure quick and reliable prevention of key deletion, ensuring minimal manual intervention and low operational complexity.

Discussion

Andy_09

Option C https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-and-remediate-scheduled-deletion-of-aws-kms-keys.html

hajra313

option c bcz Option C emerges as the clear winner due to its: Direct event monitoring for the DeleteKey operation Pre-built automation using Systems Manager Automation runbooks Efficient notification via Amazon SNS Minimal code development and operational overhead Reduced risk of accidental deletion with faster response times

knben

I would go with C A -> Config is for compliance B -> No lambda is required, too much complexity C -> It achieves the goal, since KMS keys are not immediately deleted, which gives time to automation to cancel the action D -> Cloudtrail is for auditing

sandordiniOption: C

My educated guess was C. Now, reading the comments, from Hajrá313 and knben I feel confident as well :)

JunsK1eOption: C

I agree with andy_09

Dammy031Option: D

Cloud trail helps to keep all invoked API calls in the AWS account which can trail back to the delete call made by a user CloudWatch triggers an alarm when deletion is attempted. SNS sends a notification to the administration about the attempt made. All these met the requirement of the question.

camps

It's D https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-creating-cloudwatch-alarm.html https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-creating-cloudwatch-alarm.html#cloudwatch-alarm-prerequisites

1dd

C as it " cancel the deletion of the KMS key"

NayeraBOption: C

I agree with hajra313