Amazon SCS-C02 Exam - Topic 7 Question 22 Discussion

Actual exam question for Amazon's SCS-C02 exam

Question #: 22
Topic #: 7

A company wants to configure DNS Security Extensions (DNSSEC) for the company's primary domain. The company registers the domain with Amazon Route 53. The company hosts the domain on Amazon EC2 instances by using BIND.

What is the MOST operationally efficient solution that meets this requirement?

ASet the dnssec-enable option to yes in the BIND configuration. Create a zone-signing key (ZSK) and a key-signing key (KSK) Restart the BIND service.

BMigrate the zone to Route 53 with DNSSEC signing enabled. Create a zone-signing key (ZSK) and a key-signing key (KSK) that are based on an AWS. Key Management Service (AWS KMS) customer managed key.

CSet the dnssec-enable option to yes in the BIND configuration. Create a zone-signing key (ZSK) and a key-signing key (KSK). Run the dnssec-signzone command to generate a delegation signer (DS) record Use AWS. Key Management Service (AWS KMS) to secure the keys.

DMigrate the zone to Route 53 with DNSSEC signing enabled. Create a key-signing key (KSK) that is based on an AWS Key Management Service (AWS KMS) customer managed key. Add a delegation signer (DS) record to the parent zone.

Show Suggested Answer

Suggested Answer: C

In an AWS environment where a VPC has no internet access and requires communication with AWS services such as Secrets Manager, the most secure method is to use an interface VPC endpoint (AWS PrivateLink). This allows private connectivity to services like Secrets Manager, enabling AWS Lambda functions and other resources within the VPC to access Secrets Manager without requiring an internet gateway, NAT gateway, or VPN connection. Interface VPC endpoints are powered by AWS PrivateLink, a technology that enables private connectivity between AWS services using Elastic Network Interfaces (ENI) with private IPs in your VPCs. This option is more secure than creating a NAT gateway because it doesn't expose the resources to the internet and adheres to the principle of least privilege by providing direct access to only the required service.

by Aracelis at Jun 30, 2024, 03:29 PM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Adelina

4 months ago

Nah, option A is fine if you want to stick with BIND.

upvoted 0 times

...

Justa

4 months ago

I think option C is more secure with the dnssec-signzone command.

upvoted 0 times

...

Marge

4 months ago

Wait, does Route 53 even support DNSSEC signing?

upvoted 0 times

...

Tamra

5 months ago

I agree, migrating to Route 53 simplifies a lot of the work.

upvoted 0 times

...

Floyd

5 months ago

Option B seems the easiest with Route 53 handling DNSSEC.

upvoted 0 times

...

Mickie

5 months ago

I recall a similar question where we had to choose between manual configuration and using AWS services. I think leveraging AWS KMS is a good move for security.

upvoted 0 times

...

Georgiann

5 months ago

I feel like I might be mixing up the key-signing key and zone-signing key. I need to double-check which one is used for what in the context of BIND.

upvoted 0 times

...

Melissa

5 months ago

I think option B makes sense because it mentions DNSSEC signing enabled in Route 53, which is what we practiced in class.

upvoted 0 times

...

Aaron

6 months ago

I remember studying DNSSEC, but I'm not sure if migrating to Route 53 is the most efficient way. It seems like a lot of work.

upvoted 0 times

...

Edna

6 months ago

This looks like a good opportunity to demonstrate my knowledge of DNSSEC and AWS services. I'll carefully consider each option and select the most efficient solution.

upvoted 0 times

...

Corrinne

6 months ago

I'm confident I can walk through the steps to set up DNSSEC, but I want to make sure I understand the most "operationally efficient" part of the question.

upvoted 0 times

...

Glory

6 months ago

Hmm, I'm a bit unsure about the differences between the ZSK and KSK keys. I'll need to review that part carefully.

upvoted 0 times

...

Velda

6 months ago

This seems like a straightforward DNSSEC configuration question. I think I can handle this one.

upvoted 0 times

...

Benton

6 months ago

Okay, the key is to use AWS services like Route 53 and KMS to manage the DNSSEC keys. That should make it more operationally efficient.

upvoted 0 times

...

Dorsey

6 months ago

I'm a bit confused by this question. I know HBase uses a key-value model, but I'm not familiar with the exact contents of the HFile format. I'll have to review my notes and try to reason this out.

upvoted 0 times

...

Ty

6 months ago

Hmm, this looks like a tricky one. I'll need to carefully analyze the queue configuration and the changes made to determine the impact.

upvoted 0 times

...

Michel

6 months ago

Hmm, the question is focused on the most important aspect, so I'll need to weigh the options carefully. I think looking for tools that can handle exceptions and actions based on SUT events could be really helpful given the unreliable hardware and communication.

upvoted 0 times

...

Luisa

11 months ago

I'd choose Option B. Migrating to Route 53 is like hiring a bouncer for your DNS - it'll keep the bad guys out while you kick back and relax.

upvoted 0 times

Ammie

10 months ago

Definitely, migrating to Route 53 with DNSSEC signing enabled is a smart move. It's like having a bodyguard for your DNS.

upvoted 0 times

...

Salena

10 months ago

I agree, Option B seems like the most efficient solution. It's like adding an extra layer of protection to your domain.

upvoted 0 times

...

Gilma

10 months ago

Option B sounds like a solid choice. Route 53 with DNSSEC signing enabled is like having a security guard for your domain.

upvoted 0 times

...

Ezekiel

11 months ago

Option B is the way to go. Who wants to mess with BIND configuration and manual key management when you can let Route 53 handle it all?

upvoted 0 times

...

Malinda

11 months ago

Option C looks good, but using AWS KMS to secure the keys might be overkill for a small company. I'd keep it simple with Option A.

upvoted 0 times

...

Serina

11 months ago

That's a valid point, Orville. Option B does seem to simplify the process by leveraging AWS services for key management. It could be a more secure and scalable solution.

upvoted 0 times

...

Latricia

11 months ago

I'd go with Option D. Migrating to Route 53 with DNSSEC and using AWS KMS for the KSK is a straightforward way to meet the requirement.

upvoted 0 times

Jesusa

10 months ago

I agree, migrating to Route 53 with DNSSEC enabled and using AWS KMS for the KSK sounds like a good solution.

upvoted 0 times

...

Yuette

10 months ago

Option D sounds like the best choice. Using AWS KMS for the KSK seems like a secure option.

upvoted 0 times

...

Jospeh

12 months ago

Option B seems the most operationally efficient solution. Migrating the zone to Route 53 with DNSSEC signing enabled and using AWS KMS for the keys is a secure and managed approach.

upvoted 0 times

...

Orville

12 months ago

I disagree, I believe option B is more efficient. Migrating the zone to Route 53 with DNSSEC signing enabled and using AWS KMS for key management seems like a better approach.

upvoted 0 times

...