AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A company is storing highly sensitive customer data in Amazon S3 and requires that the data be encrypted at rest. The Chief Security Officer mandates that the encryption solution must allow the company to have full control over the key management process and the ability to rotate encryption keys on a regular basis. Which of the following would BEST meet these requirements?
Use a Customer Managed Key in AWS Key Management Service (KMS) with key rotation enabled
Use Amazon S3's object lock feature with versioning enabled
Use default S3 server-side encryption (SSE-S3) which employs managed keys
Use an AWS managed key in AWS KMS without enabling key rotation
Encrypt the data client-side before uploading it to Amazon S3
AWS Key Management Service (KMS) provides the ability to create and manage encryption keys and control their use across a wide range of AWS services and in your applications. It also supports key rotation, enabling customers to rotate the cryptographic keys they manage on a regular basis, which is a security best practice. Customer Managed Keys (CMKs) offer more management features and the possibility to set the key rotation policy, which aligns with the Chief Security Officer's requirements for having full control over the key management process and the ability to rotate encryption keys.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Customer Managed Keys in AWS KMS?
Open an interactive chat with Bash
How does key rotation work in AWS KMS?
Open an interactive chat with Bash
What is the difference between SSE-S3 and using AWS KMS for encryption?