AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Explanation:

Explanation

Correct Answer: D - Server-side encryption with AWS KMS keys (SSE-KMS) with automatic rotation

Let's analyze each option against the requirements:

Requirements Analysis:

Encryption at rest - All options provide this
Encryption key usage must be logged for auditing - Only KMS provides detailed logging
Keys must be rotated every year - Requires key rotation capability
MOST operationally efficient - Minimizes manual effort

Option Analysis:

A. SSE-C (Customer-provided keys)

❌ No key usage logging - Customer manages keys, AWS doesn't log usage
❌ Manual key rotation - Customer must manually rotate keys
❌ Operationally inefficient - Customer manages key lifecycle

B. SSE-S3 (S3 managed keys)

❌ No key usage logging - S3 manages keys internally, no usage logs
❌ No key rotation - S3 doesn't rotate keys automatically
❌ No audit trail - Cannot track who accessed encrypted data

C. SSE-KMS with manual rotation

✅ Key usage logging - KMS logs all key usage via CloudTrail
✅ Key rotation possible - Can rotate manually
⚠️ Less operationally efficient - Requires manual rotation yearly

D. SSE-KMS with automatic rotation

✅ Key usage logging - KMS logs all key usage via CloudTrail
✅ Automatic key rotation - KMS can rotate keys automatically (every year)
✅ Most operationally efficient - Automated rotation reduces manual effort
✅ Compliance ready - Provides audit trail for compliance requirements

Key AWS KMS Features:

CloudTrail Integration: Logs all KMS API calls including key usage
Automatic Key Rotation: Can be enabled to rotate keys automatically every year
Key Policies: Fine-grained access control
Audit Trail: Complete visibility into who used keys and when

Why Not Other Options:

SSE-C: Customer manages keys, no AWS logging
SSE-S3: S3 manages keys internally, no audit trail
Manual KMS rotation: Works but less efficient than automatic

Conclusion: SSE-KMS with automatic rotation meets all requirements while being the most operationally efficient solution.

Explanation:

Explanation

Correct Answer: D - Server-side encryption with AWS KMS keys (SSE-KMS) with automatic rotation

Let's analyze each option against the requirements:

Requirements Analysis:

Encryption at rest - All options provide this
Encryption key usage must be logged for auditing - Only KMS provides detailed logging
Keys must be rotated every year - Requires key rotation capability
MOST operationally efficient - Minimizes manual effort

Option Analysis:

A. SSE-C (Customer-provided keys)

❌ No key usage logging - Customer manages keys, AWS doesn't log usage
❌ Manual key rotation - Customer must manually rotate keys
❌ Operationally inefficient - Customer manages key lifecycle

B. SSE-S3 (S3 managed keys)

❌ No key usage logging - S3 manages keys internally, no usage logs
❌ No key rotation - S3 doesn't rotate keys automatically
❌ No audit trail - Cannot track who accessed encrypted data

C. SSE-KMS with manual rotation

✅ Key usage logging - KMS logs all key usage via CloudTrail
✅ Key rotation possible - Can rotate manually
⚠️ Less operationally efficient - Requires manual rotation yearly

D. SSE-KMS with automatic rotation

✅ Key usage logging - KMS logs all key usage via CloudTrail
✅ Automatic key rotation - KMS can rotate keys automatically (every year)
✅ Most operationally efficient - Automated rotation reduces manual effort
✅ Compliance ready - Provides audit trail for compliance requirements

Key AWS KMS Features:

CloudTrail Integration: Logs all KMS API calls including key usage
Automatic Key Rotation: Can be enabled to rotate keys automatically every year
Key Policies: Fine-grained access control
Audit Trail: Complete visibility into who used keys and when

Why Not Other Options:

SSE-C: Customer manages keys, no AWS logging
SSE-S3: S3 manages keys internally, no audit trail
Manual KMS rotation: Works but less efficient than automatic

Conclusion: SSE-KMS with automatic rotation meets all requirements while being the most operationally efficient solution.

Comments (0)

No comments yet.

A company is preparing to store confidential data in Amazon S3. For compliance reasons, the data must be encrypted at rest. Encryption key usage must be logged for auditing purposes. Keys must be rotated every year. Which solution meets these requirements and is the MOST operationally efficient?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Server-side encryption with customer-provided keys (SSE-C)

Server-side encryption with Amazon S3 managed keys (SSE-S3)

Server-side encryption with AWS KMS keys (SSE-KMS) with manual rotation