AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company needs to store contract documents. A contract lasts for 5 years. During the 5-year period, the company must ensure that the documents cannot be overwritten or deleted. The company needs to encrypt the documents at rest and rotate the encryption keys automatically every year.
Which combination of steps should a solutions architect take to meet these requirements with the LEAST operational overhead? (Choose two.)
Other
Community
UAnonymous
A
Store the documents in Amazon S3. Use S3 Object Lock in governance mode.
B
Store the documents in Amazon S3. Use S3 Object Lock in compliance mode.
C
Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure key rotation.
D
Use server-side encryption with AWS Key Management Service (AWS KMS) customer managed keys. Configure key rotation.
E
Use server-side encryption with AWS Key Management Service (AWS KMS) customer provided (imported) keys. Configure key rotation.
Explanation:
Explanation
Why B (S3 Object Lock in compliance mode) is correct:
- The requirement states that documents "cannot be overwritten or deleted" for 5 years.
- Compliance mode provides stronger protection than governance mode. In compliance mode, no one (including root users) can delete or overwrite objects until the retention period expires.
- Governance mode allows users with special permissions to delete or overwrite objects, which doesn't meet the strict "cannot be overwritten or deleted" requirement.
- The 5-year retention period aligns perfectly with S3 Object Lock capabilities.
Why D (AWS KMS customer managed keys with key rotation) is correct:
- The requirement is to "encrypt the documents at rest and rotate the encryption keys automatically every year."
- SSE-S3 (Option C) uses S3-managed keys, but key rotation is not configurable by the customer - AWS manages this automatically.
- AWS KMS customer managed keys (Option D) allow you to configure automatic key rotation (up to once per year), which meets the "rotate the encryption keys automatically every year" requirement.
- Customer provided keys (Option E) would require the customer to manage and rotate the keys themselves, increasing operational overhead.
- AWS KMS customer managed keys provide the least operational overhead while meeting the encryption and automatic key rotation requirements.
Why other options are incorrect:
- A (Governance mode): Doesn't provide the strictest protection needed for compliance requirements.
- C (SSE-S3): While it provides encryption, customers cannot configure key rotation schedules - AWS manages this automatically.
- E (Customer provided keys): Requires the customer to manage key lifecycle and rotation, increasing operational overhead.
Summary: The combination of S3 Object Lock in compliance mode (B) ensures documents cannot be modified or deleted for 5 years, while AWS KMS customer managed keys with automatic key rotation (D) provides encryption with yearly key rotation with minimal operational overhead.
Comments
Loading comments...