Answer-first summary for fast verification
Answer: Create an AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Set the S3 bucket's default encryption behavior to use the customer managed KMS key. Move the data to the S3 bucket.
## Explanation **Correct Answer: B** **Why Option B is correct:** 1. **AWS KMS Customer Managed Key with Automatic Rotation** - This solution meets both requirements: - Data is encrypted at rest in S3 using server-side encryption with KMS (SSE-KMS) - Automatic key rotation is enabled on the customer managed key, which rotates the key material every year automatically - This provides the least operational overhead as AWS handles the key rotation automatically 2. **Why other options are incorrect:** - **Option A (SSE-S3)**: While SSE-S3 does encrypt data and has built-in key management, SSE-S3 keys are **not automatically rotated** in a way that meets the requirement. AWS manages the underlying keys, but there's no automatic yearly rotation feature that customers can rely on. - **Option C (Manual Rotation)**: This requires manual intervention every year, which increases operational overhead and doesn't meet the "automatic" rotation requirement. - **Option D (Customer Key Material)**: This involves client-side encryption and importing customer key material, which is complex and has higher operational overhead. While automatic rotation can be enabled, the initial setup and management are more complex than Option B. **Key AWS Concepts:** - **SSE-S3**: Server-side encryption with S3-managed keys. AWS manages the encryption keys, but there's no automatic yearly rotation feature. - **SSE-KMS**: Server-side encryption with KMS-managed keys. When using customer managed keys in KMS, you can enable automatic key rotation (every 365 days). - **Automatic Key Rotation in KMS**: When enabled, AWS KMS generates new cryptographic material for the KMS key every year. The old key material is retained for decryption of previously encrypted data. **Best Practice**: For compliance requirements that mandate regular key rotation, using AWS KMS customer managed keys with automatic rotation is the recommended approach as it provides both security and minimal operational overhead.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is planning to move its data to an Amazon S3 bucket. The data must be encrypted when it is stored in the S3 bucket. Additionally, the encryption key must be automatically rotated every year.
Which solution will meet these requirements with the LEAST operational overhead?
A
Move the data to the S3 bucket. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Use the built-in key rotation behavior of SSE-S3 encryption keys.
B
Create an AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Set the S3 bucket's default encryption behavior to use the customer managed KMS key. Move the data to the S3 bucket.
C
Create an AWS Key Management Service (AWS KMS) customer managed key. Set the S3 bucket's default encryption behavior to use the customer managed KMS key. Move the data to the S3 bucket. Manually rotate the KMS key every year.
D
Encrypt the data with customer key material before moving the data to the S3 bucket. Create an AWS Key Management Service (AWS KMS) key without key material. Import the customer key material into the KMS key. Enable automatic key rotation.