AWS KMS CMK's are being used to provide server-side encryption of DynamoDB tables.
The security team wants to audit the CMKs and identify DynamoDB tables using the keys for encryption at rest.
What service can be used to perform this activity?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
When DynamoDB uses AWS KMS Customer Managed Keys for server-side encryption, it uses KMS requests (e.g., GenerateDataKey, Decrypt, CreateGrant) for performing various encryption operations.
These KMS API operations are logged in CloudTrail logs.
Therefore, CloudTrail logs can be used to identify what CMK's are used by DynamoDB tables.
Hence Option B is CORRECT, and.
Option A is incorrect.
Option C is incorrect because Trusted Advisor is a service for analyzing AWS resources and infrastructure against AWS best practices.
Option D is incorrect because AWS Config is a service for tracking and monitoring configuration changes of AWS resources.
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/services-dynamodb.html#dynamodb-cmk-trailThe correct answer to this question is B. CloudTrail.
CloudTrail is a service that records API calls and events made within an AWS account. It captures and stores data about every event in the AWS environment, including who made the request, when it was made, and the source IP address. With CloudTrail, users can audit and monitor activity within their AWS environment.
In this scenario, the security team wants to audit the AWS KMS CMKs and identify the DynamoDB tables that are using the keys for encryption at rest. By using CloudTrail, the security team can track all API calls made to the KMS service, including the creation and usage of CMKs. Additionally, they can identify which DynamoDB tables are using these CMKs for server-side encryption.
CloudWatch, on the other hand, is a monitoring service that collects and tracks metrics, logs, and events for AWS resources. AWS Trusted Advisor provides best practices recommendations and checks for security, cost optimization, and performance in an AWS environment. AWS Config is a service that provides a detailed inventory of AWS resources and their configuration history, enabling users to track changes to resources over time. While these services may be useful in other scenarios, they are not specifically designed for auditing CMKs or identifying DynamoDB tables using these keys.