AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A company is required to enforce strict access policies regarding the management of its encryption keys used to secure sensitive data at rest on Amazon S3. Which of the following is the BEST method to ensure that only a select group of senior security personnel can administer the keys?
Use AWS managed keys for S3 and rely on default encryption features to restrict key administration.
Implement automatic key rotation every three months for the encryption keys.
Encapsulate the encryption keys using an additional layer of encryption with a separate master key.
Create a Customer Managed Key in AWS KMS and restrict access to a specific IAM group assigned to the senior security personnel.