Q24 — AWS AIF-C01 Ch.3

Question 24 of 100 | ← Chapter 3

A company wants to apply single-layer object-level server-side encryption to data stored in an Amazon S3 bucket. Data scientists will use this data to train ML models. Data scientists want to control encryption key rotation. Which solution satisfies these requirements with minimal operational overhead?

Correct Answer: B. Server-side encryption with AWS KMS keys (SSE-KMS)

Explanation

For single-layer object-level server-side encryption in Amazon S3 with controlled key rotation, server-side encryption with AWS KMS keys (SSE-KMS) is appropriate. SSE-KMS leverages AWS Key Management Service (KMS) to manage encryption keys—including creation, rotation, and deletion—providing both security and ease of management. Compared to client-side encryption or SSE-C, SSE-KMS reduces operational overhead because AWS KMS handles key lifecycle management securely. DSSE-KMS is not a standard Amazon S3 encryption option and therefore does not meet the requirement.