Ultimate access to all questions.
Answer-first summary for fast verification
Answer: Create a customer managed key by using AWS Key Management Service (AWS KMS). Use the new key to encrypt the S3 objects by using server-side encryption with AWS KMS keys (SSE-KMS).
## Explanation **Correct Answer: B** **Why Option B is correct:** 1. **Customer Managed Keys (CMK)**: The company needs to "fully control the ability of users to create, rotate, and disable encryption keys." Customer managed keys in AWS KMS provide exactly this capability - you have full control over key creation, rotation policies, and disabling/enabling keys. 2. **SSE-KMS**: Using server-side encryption with AWS KMS keys (SSE-KMS) allows S3 to automatically encrypt objects using the specified KMS key, providing seamless integration. 3. **Minimal effort**: SSE-KMS requires minimal configuration - just specify the KMS key ID when uploading objects or configure bucket-level encryption. **Why other options are incorrect:** **Option A (SSE-S3)**: - Uses S3-managed keys, not customer-controlled keys - The company cannot create, rotate, or disable these keys - Keys are managed entirely by AWS **Option C (AWS Managed Key)**: - AWS managed keys are created and managed by AWS, not the customer - While they can be used with SSE-KMS, the company doesn't have full control over key creation, rotation, or disabling - These keys are automatically rotated by AWS **Option D (Client-side encryption)**: - Requires downloading, encrypting, and re-uploading objects - not "minimal effort" - Adds complexity and potential security risks during data transfer - Doesn't leverage AWS's managed encryption services effectively **Key AWS Concepts:** - **SSE-KMS**: Server-side encryption using AWS KMS keys - **Customer Managed Keys**: Keys you create and manage in AWS KMS - **AWS Managed Keys**: Keys automatically created and managed by AWS services - **SSE-S3**: Server-side encryption using S3-managed keys **Best Practice**: For organizations requiring full control over encryption keys while maintaining operational simplicity, customer managed keys with SSE-KMS is the recommended approach.
Author: LeetQuiz Editorial Team
No comments yet.
A company stores sensitive data in Amazon S3. A solutions architect needs to create an encryption solution. The company needs to fully control the ability of users to create, rotate, and disable encryption keys with minimal effort for any data that must be encrypted.
Which solution will meet these requirements?
A
Use default server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to store the sensitive data.
B
Create a customer managed key by using AWS Key Management Service (AWS KMS). Use the new key to encrypt the S3 objects by using server-side encryption with AWS KMS keys (SSE-KMS).
C
Create an AWS managed key by using AWS Key Management Service (AWS KMS). Use the new key to encrypt the S3 objects by using server-side encryption with AWS KMS keys (SSE-KMS).
D
Download S3 objects to an Amazon EC2 instance. Encrypt the objects by using customer managed keys. Upload the encrypted objects back into Amazon S3.