Q41 — AWS DVA-C02 Ch.3
Question 41 of 100 | ← Chapter 3
A developer stores sensitive data generated by an application in Amazon S3. The developer wants to encrypt the data at rest, and company policy requires audit trails tracking who used and when an AWS Key Management Service (AWS KMS) key was used.
- A. Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
- B. Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) ✓
- C. Server-Side Encryption with Customer-Provided Keys (SSE-C)
- D. Server-Side Encryption with customer-managed keys
Correct Answer: B. Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
Explanation
Option B (Server-Side Encryption with AWS KMS-Managed Keys, SSE-KMS) satisfies these requirements. SSE-KMS enables AWS KMS to manage encryption keys, allowing tracking of key usage time and users. AWS KMS provides key management and encryption logging audit capabilities, meeting the company policy requirement for auditing key usage. In contrast, SSE-S3 and SSE-C do not provide AWS KMS key management and audit trail capabilities, and server-side encryption with customer-managed keys may not align with AWS’s fully managed service model.