Answer-first summary for fast verification
Answer: Server-side encryption with AWS KMS keys (SSE-KMS) with automatic rotation
## Explanation **Correct Answer: D - Server-side encryption with AWS KMS keys (SSE-KMS) with automatic rotation** Let's analyze each option against the requirements: ### Requirements Analysis: 1. **Encryption at rest** - All options provide this 2. **Encryption key usage must be logged for auditing** - Only KMS provides detailed logging 3. **Keys must be rotated every year** - Requires key rotation capability 4. **MOST operationally efficient** - Minimizes manual effort ### Option Analysis: **A. SSE-C (Customer-provided keys)** - ❌ **No key usage logging** - Customer manages keys, AWS doesn't log usage - ❌ **Manual key rotation** - Customer must manually rotate keys - ❌ **Operationally inefficient** - Customer manages key lifecycle **B. SSE-S3 (S3 managed keys)** - ❌ **No key usage logging** - S3 manages keys internally, no usage logs - ❌ **No key rotation** - S3 doesn't rotate keys automatically - ❌ **No audit trail** - Cannot track who accessed encrypted data **C. SSE-KMS with manual rotation** - ✅ **Key usage logging** - KMS logs all key usage via CloudTrail - ✅ **Key rotation possible** - Can rotate manually - ⚠️ **Less operationally efficient** - Requires manual rotation yearly **D. SSE-KMS with automatic rotation** - ✅ **Key usage logging** - KMS logs all key usage via CloudTrail - ✅ **Automatic key rotation** - KMS can rotate keys automatically (every year) - ✅ **Most operationally efficient** - Automated rotation reduces manual effort - ✅ **Compliance ready** - Provides audit trail for compliance requirements ### Key AWS KMS Features: - **CloudTrail Integration**: Logs all KMS API calls including key usage - **Automatic Key Rotation**: Can be enabled to rotate keys automatically every year - **Key Policies**: Fine-grained access control - **Audit Trail**: Complete visibility into who used keys and when ### Why Not Other Options: - **SSE-C**: Customer manages keys, no AWS logging - **SSE-S3**: S3 manages keys internally, no audit trail - **Manual KMS rotation**: Works but less efficient than automatic **Conclusion**: SSE-KMS with automatic rotation meets all requirements while being the most operationally efficient solution.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is preparing to store confidential data in Amazon S3. For compliance reasons, the data must be encrypted at rest. Encryption key usage must be logged for auditing purposes. Keys must be rotated every year. Which solution meets these requirements and is the MOST operationally efficient?
A
Server-side encryption with customer-provided keys (SSE-C)
B
Server-side encryption with Amazon S3 managed keys (SSE-S3)
C
Server-side encryption with AWS KMS keys (SSE-KMS) with manual rotation
D
Server-side encryption with AWS KMS keys (SSE-KMS) with automatic rotation