AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company is preparing to store confidential data in Amazon S3. For compliance reasons, the data must be encrypted at rest. Encryption key usage must be logged for auditing purposes. Keys must be rotated every year. Which solution meets these requirements and is the MOST operationally efficient?
Other
Community
UAnonymous
A
Server-side encryption with customer-provided keys (SSE-C)
B
Server-side encryption with Amazon S3 managed keys (SSE-S3)
C
Server-side encryption with AWS KMS keys (SSE-KMS) with manual rotation
D
Server-side encryption with AWS KMS keys (SSE-KMS) with automatic rotation
Explanation:
Explanation
Correct Answer: D - Server-side encryption with AWS KMS keys (SSE-KMS) with automatic rotation
Let's analyze each option against the requirements:
Requirements Analysis:
- Encryption at rest - All options provide this
- Encryption key usage must be logged for auditing - Only KMS provides detailed logging
- Keys must be rotated every year - Requires key rotation capability
- MOST operationally efficient - Minimizes manual effort
Option Analysis:
A. SSE-C (Customer-provided keys)
- ❌ No key usage logging - Customer manages keys, AWS doesn't log usage
- ❌ Manual key rotation - Customer must manually rotate keys
- ❌ Operationally inefficient - Customer manages key lifecycle
B. SSE-S3 (S3 managed keys)
- ❌ No key usage logging - S3 manages keys internally, no usage logs
- ❌ No key rotation - S3 doesn't rotate keys automatically
- ❌ No audit trail - Cannot track who accessed encrypted data
C. SSE-KMS with manual rotation
- ✅ Key usage logging - KMS logs all key usage via CloudTrail
- ✅ Key rotation possible - Can rotate manually
- ⚠️ Less operationally efficient - Requires manual rotation yearly
D. SSE-KMS with automatic rotation
- ✅ Key usage logging - KMS logs all key usage via CloudTrail
- ✅ Automatic key rotation - KMS can rotate keys automatically (every year)
- ✅ Most operationally efficient - Automated rotation reduces manual effort
- ✅ Compliance ready - Provides audit trail for compliance requirements
Key AWS KMS Features:
- CloudTrail Integration: Logs all KMS API calls including key usage
- Automatic Key Rotation: Can be enabled to rotate keys automatically every year
- Key Policies: Fine-grained access control
- Audit Trail: Complete visibility into who used keys and when
Why Not Other Options:
- SSE-C: Customer manages keys, no AWS logging
- SSE-S3: S3 manages keys internally, no audit trail
- Manual KMS rotation: Works but less efficient than automatic
Conclusion: SSE-KMS with automatic rotation meets all requirements while being the most operationally efficient solution.
Comments
Loading comments...