Amazon Exam DBS-C01 Topic 1 Question 89 Discussion

Actual exam question for Amazon's DBS-C01 exam

Question #: 89
Topic #: 1

A company uses an Amazon Redshift cluster to run its analytical workloads. Corporate policy requires that the company's data be encrypted at rest with customer managed keys. The company's disaster recovery plan requires that backups of the cluster be copied into another AWS Region on a regular basis.

How should a database specialist automate the process of backing up the cluster data in compliance with these policies?

ACopy the AWS Key Management Service (AWS KMS) customer managed key from the source Region to the destination Region. Set up an AWS Glue job in the source Region to copy the latest snapshot of the Amazon Redshift cluster from the source Region to the destination Region. Use a time-based schedule in AWS Glue to run the job on a daily basis.

BCreate a new AWS Key Management Service (AWS KMS) customer managed key in the destination Region. Create a snapshot copy grant in the destination Region specifying the new key. In the source Region, configure cross-Region snapshots for the Amazon Redshift cluster specifying the destination Region, the snapshot copy grant, and retention periods for the snapshot.

CCopy the AWS Key Management Service (AWS KMS) customer-managed key from the source Region to the destination Region. Create Amazon S3 buckets in each Region using the keys from their respective Regions. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule an AWS Lambda function in the source Region to copy the latest snapshot to the S3 bucket in that Region. Configure S3 Cross-Region Replication to copy the snapshots to the destination Region, specifying the source and destination KMS key IDs in the replication configuration.

DUse the same customer-supplied key materials to create a CMK with the same private key in the destination Region. Configure cross-Region snapshots in the source Region targeting the destination Region. Specify the corresponding CMK in the destination Region to encrypt the snapshot.

Show Suggested Answer

Suggested Answer: B

According to the Amazon Redshift documentation1, you can enable database encryption for your clusters to help protect data at rest. You can use either AWS Key Management Service (AWS KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys.

To copy encrypted snapshots across Regions, you need to create a snapshot copy grant in the destination Region and specify a CMK in that Region. You also need to configure cross-Region snapshots in the source Region and provide the destination Region, the snapshot copy grant, and retention periods for the snapshots. This way, you can automate the process of backing up the cluster data in compliance with the corporate policies.

by Alishia at Apr 11, 2024, 12:53 PM

Limited Time Offer

25%

Off

Get Premium DBS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Mitzie

4 months ago

That's a good point. Maybe option C is the way to go after all.

upvoted 0 times

...

Noe

4 months ago

That's true, but configuring cross-Region snapshots with S3 replication in option C provides redundancy.

upvoted 0 times

...

Berry

5 months ago

But wouldn't copying the KMS key to the destination Region be more secure?

upvoted 0 times

...

Mitzie

5 months ago

I'm leaning towards option D because it seems simpler to manage.

upvoted 0 times

...

Noe

5 months ago

I disagree, I believe option C is more suitable for our needs.

upvoted 0 times

...

Berry

5 months ago

I think option B is the best choice.

upvoted 0 times

...

Jacki

5 months ago

I think option C is the most secure option as it involves replicating the snapshots with specified KMS key IDs.

upvoted 0 times

...

Catina

5 months ago

But with option C, we can use EventBridge to automate the process with Lambda function.

upvoted 0 times

...

Matt

5 months ago

I prefer option A. It's more straightforward to copy the key and use AWS Glue job.

upvoted 0 times

...

Frederic

6 months ago

I agree with Option C seems to be the most efficient solution.

upvoted 0 times

...

Catina

6 months ago

I think option C is the best choice.

upvoted 0 times

...

An

7 months ago

Yeah, I like the elegance of option C as well. Leveraging existing AWS services like Eventbridge, Lambda, and S3 replication makes a lot of sense here.

upvoted 0 times

...

Levi

7 months ago

I'm leaning towards option C. Using EventBridge and Lambda to automate the snapshot process, along with S3 Cross-Region Replication, seems like a robust and comprehensive solution.

upvoted 0 times

...

Edna

7 months ago

Hmm, I'm leaning towards option C. Copying the KMS key to the destination region and using S3 Cross-Region Replication seems like a robust and automated solution.

upvoted 0 times

Kristal

6 months ago

I agree, it's important to have a secure and automated backup process in place.

upvoted 0 times

...

Rosendo

6 months ago

Yeah, having the KMS key in both regions and using Lambda to copy the snapshots sounds efficient.

upvoted 0 times

...

Jaime

6 months ago

Option C seems like a good choice. Using S3 Cross-Region Replication can help automate the process.

upvoted 0 times

...

Willodean

7 months ago

I agree. The key is to properly set up the KMS keys and configure the cross-region snapshot replication. It's a good thing they're giving us multiple options to consider.

upvoted 0 times

...

Willie

7 months ago

You know, I'm a little concerned about the complexity of some of these solutions. Wouldn't it be simpler to just backup to an S3 bucket and let S3 handle the encryption and replication?

upvoted 0 times

...

Suzan

7 months ago

That's a good point. Option D does seem more straightforward in terms of the key management. But I'm not sure if that fully meets the requirement of using 'customer-managed' keys in both regions.

upvoted 0 times

...

Leslee

7 months ago

I think option B is the way to go. Creating a new KMS key in the destination Region and configuring cross-Region snapshots seems like the most straightforward approach.

upvoted 0 times

...

Buddy

7 months ago

Oh man, I hope they don't ask us to explain the intricacies of AWS KMS and cross-Region replication. That stuff always makes my head spin.

upvoted 0 times

Marci

6 months ago

Option D could work too, as long as the CMK is properly configured.

upvoted 0 times

...

Lezlie

6 months ago

upvoted 0 times

...

Josefa

7 months ago

I'm leaning towards option C because it involves using Amazon EventBridge and S3 Cross-Region Replication.

upvoted 0 times

...

Arlene

7 months ago

upvoted 0 times

...

Timothy

7 months ago

But option A also seems like a viable solution.

upvoted 0 times

...

Julio

7 months ago

upvoted 0 times

...

Glennis

7 months ago

I think option B sounds like the best choice.

upvoted 0 times

...

Wilford

7 months ago

upvoted 0 times

...

Yvonne

7 months ago

Hmm, this is a tricky one. We need to make sure the backup process is fully automated and complies with the company's data encryption and disaster recovery policies.

upvoted 0 times

...

Mariko

7 months ago

This is a great question that really tests our understanding of AWS Redshift backup and encryption best practices. I'm feeling confident about this one.

upvoted 0 times

...