AWS Certified Developer Associate DVA-C02 Practice Question
A company is storing sensitive documents in an Amazon S3 bucket and wants to implement a solution where the development team can upload encrypted files without managing the encryption keys directly. The encryption should allow the use of different keys for each S3 object and enable the automatic rotation of those keys. Which of the following should the development team implement to meet these requirements?
Implement Server-Side Encryption with Customer-Provided Keys (SSE-C) and manage key rotation using a cron job on an EC2 instance.
Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) and enable automatic key rotation.
Enable Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) and schedule an AWS Lambda function to rotate the keys regularly.
Store and manage encryption keys in AWS CloudHSM and manually rotate the keys by creating new HSM-backed keys when required.
AWS Key Management Service (KMS) is designed for secure key management and allows for automatic key rotation on customer-managed keys. When using the SSE-KMS option, each S3 object is encrypted with a unique data key, and these data keys are themselves encrypted with a master key from KMS, which can be configured for automatic rotation. This meets all of the stated requirements.
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) is incorrect because while AWS rotates the underlying keys, the user has no control over this process, and a Lambda function cannot be used to manage them.
Server-Side Encryption with Customer-Provided Keys (SSE-C) is incorrect because it requires the client to provide and manage its own encryption keys, which contradicts the stated requirements.
Using AWS CloudHSM is incorrect because it is designed for environments with stringent regulatory requirements needing single-tenant HSMs and does not offer a simple, built-in automatic key rotation feature like KMS.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS KMS and how does it work with SSE-KMS?
Open an interactive chat with Bash
Why is SSE-KMS preferred over SSE-S3 for sensitive data?
Open an interactive chat with Bash
What are the limitations of SSE-C and AWS CloudHSM for managing sensitive data encryption?
Open an interactive chat with Bash
AWS Certified Developer Associate DVA-C02
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .