Q18 — AWS DVA-C02 Ch.2

Question 18 of 100 | ← Chapter 2

A company stores documents in Amazon S3 using default settings. A new compliance requirement mandates encryption of static documents, annual rotation of encryption keys, and logging of key rotation timestamps. The company does not want to manage encryption keys outside AWS. Which solution satisfies these requirements?

Correct Answer: B. Use server-side encryption with AWS KMS–managed encryption keys (SSE-KMS).

Explanation

Server-side encryption with AWS KMS–managed keys (SSE-KMS) provides key rotation capabilities (including automatic annual rotation), detailed audit trails via AWS CloudTrail showing when and by whom keys were used, fine-grained key-level permissions, and full key lifecycle management within AWS — satisfying all compliance requirements without external key management. SSE-S3 does not support custom key rotation or audit logging; SSE-C requires external key management; client-side encryption shifts key management burden to the customer.