Q18 — AWS DVA-C02 Ch.2
Question 18 of 100 | ← Chapter 2
A company stores documents in Amazon S3 using default settings. A new compliance requirement mandates encryption of static documents, annual rotation of encryption keys, and logging of key rotation timestamps. The company does not want to manage encryption keys outside AWS. Which solution satisfies these requirements?
- A. Use server-side encryption with Amazon S3-managed encryption keys (SSE-S3).
- B. Use server-side encryption with AWS KMS–managed encryption keys (SSE-KMS). ✓
- C. Use server-side encryption with customer-provided encryption keys (SSE-C).
- D. Use client-side encryption before sending data to Amazon S3.
Correct Answer: B. Use server-side encryption with AWS KMS–managed encryption keys (SSE-KMS).
Explanation
Server-side encryption with AWS KMS–managed keys (SSE-KMS) provides key rotation capabilities (including automatic annual rotation), detailed audit trails via AWS CloudTrail showing when and by whom keys were used, fine-grained key-level permissions, and full key lifecycle management within AWS — satisfying all compliance requirements without external key management. SSE-S3 does not support custom key rotation or audit logging; SSE-C requires external key management; client-side encryption shifts key management burden to the customer.