AWS Certified Solutions Architect Associate SAA-C03 Practice Question
An enterprise needs to ensure the encryption of sensitive data stored in their Amazon S3 buckets. The company has mandated that its own encryption keys must be used, and those keys must be capable of being rotated on a company-defined schedule and disabled immediately in the event of a security breach. Which of the following configurations should be implemented to meet these specific requirements?
Create a customer-managed CMK in AWS KMS, use it to encrypt the S3 buckets (SSE-KMS), and manage rotation/disablement according to the company policy.
Use Amazon S3-managed keys (SSE-S3) for encryption and handle rotation outside of AWS.
Use an AWS-managed KMS key and rely on its automatic annual rotation.
Use an AWS-managed CMK in AWS KMS without enabling key rotation.
Using a customer-managed AWS KMS key (CMK) satisfies the requirements because the organization controls the key material.
Rotation: A customer-managed CMK can be rotated on demand or by enabling automatic rotation with a custom period from 90 to 2560 days (default 365 days), giving the company full control over the schedule.
Disablement: The key owner can call the DisableKey operation to make the CMK unusable almost immediately if a compromise is suspected.
AWS-managed keys (the default aws/s3 key) rotate automatically every year and cannot be disabled or have their schedule changed. SSE-S3 uses keys fully managed by Amazon S3, so the customer cannot supply, rotate, or disable its own keys. Therefore, creating and using a customer-managed CMK for SSE-KMS on the S3 bucket is the only configuration that meets all stated requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a CMK in AWS KMS?
Open an interactive chat with Bash
Why is manual rotation of keys important?
Open an interactive chat with Bash
What is the difference between customer-managed and AWS-managed keys?