Answer-first summary for fast verification
Answer: Use the AWS CLI associate-kms-key command and specify the KMS key ARN
Use the AWS CLI associate-kms-key command and specify the KMS key ARN Log group data is always encrypted in CloudWatch Logs. You can optionally use AWS AWS Key Management Service for this encryption. If you do, the encryption is done using an AWS KMS (AWS KMS) customer master key (CMK). Encryption using AWS KMS is enabled at the log group level, by associating a CMK with a log group, either when you create the log group or after it exists. After you associate a CMK with a log group, all newly ingested data for the log group is encrypted using the CMK. This data is stored in an encrypted format throughout its retention period. CloudWatch Logs decrypts this data whenever it is requested. CloudWatch Logs must have permissions for the CMK whenever encrypted data is requested. To associate the CMK with an existing log group, you can use the associate-kms-key command.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
A cybersecurity company, which aims to ensure the highest level of security for its operations, has been actively publishing critical log data to a specific log group in Amazon CloudWatch Logs for the past three months. To comply with the company’s stringent security guidelines, there is now a requirement to encrypt any future log data using an AWS Key Management Service (KMS) customer master key (CMK).
What steps should the company take to achieve this encryption of future log data within their existing Amazon CloudWatch Logs group?
A
Use the AWS CLI create-log-group command and specify the KMS key ARN
B
Enable the encrypt feature on the log group via the CloudWatch Logs console
C
Use the AWS CLI describe-log-groups command and specify the KMS key ARN
D
Use the AWS CLI associate-kms-key command and specify the KMS key ARN
No comments yet.