AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A financial-services company stores sensitive transaction records in Amazon S3 using server-side encryption. The records must remain encrypted at rest, and the security team needs centralized control over the encryption keys, including the ability to enforce periodic, automated key rotation. Which configuration best meets these requirements?
Use AWS managed keys provided by the service, which rotate automatically every year.
Allow application developers to generate and replace encryption keys manually on a regular basis.
Create AWS customer-managed keys and run a scheduled script (for example, a Lambda function) to import new key material periodically.
AWS customer-managed KMS keys give the security team full control over the key policies, aliases, and rotation settings. Automatic rotation can be enabled (default 365 days, or a custom period from 90 - 2560 days), so the keys are refreshed on a schedule without manual effort. AWS-managed keys also rotate automatically every year, but the organization cannot view the key policies, attach custom policies, or adjust the rotation schedule; therefore they do not satisfy the requirement for centralized key management. Manually rotating keys through scripts or developer processes introduces operational overhead and potential error, and does not leverage KMS's built-in automation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are customer managed keys and how do they differ from managed service keys?
Open an interactive chat with Bash
What does automated key rotation involve and why is it important?
Open an interactive chat with Bash
How can organizations monitor and manage access to customer managed keys?