Q36 — AWS SAA-C03 Ch.1
Question 36 of 65 | ← Chapter 1
Q36. A company is preparing to store confidential data in Amazon S3. For compliance reasons, the data must be encrypted at rest. Encryption key usage must be logged for auditing purposes. Key must be rotated every year.Which solution meets these requirements and is the MOST operationally effecient?
- A. Server-side encryption with customer-provided keys (SSE-C)
- B. Server-side encryption with Amazon S3 managed keys (SSE-S3)
- C. Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with manual rotation.
- D. Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with automatic rotation. ✓
Correct Answer: D. Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with automatic rotation.
Explanation
The solution that meets the requirements of encrypting data at rest, logging key usage for auditing, and rotating keys every year while being the most operationally efficient is D: Use server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with automatic rotation. This option provides strong encryption for the confidential data at rest, and AWS Key Management Service (KMS) will automatically rotate the CMKs every year. Additionally, KMS provides APIs to log all key usage into Amazon CloudTrail, which can be used for auditing purposes. Option A, server-side encryption with customer-provided keys (SSE-C), requires managing and protecting the customer-provided keys, which adds complexity and risk to the architecture. Option B, server-side encryption with Amazon S3 managed keys (SSE-S3), does not provide automatic key rotation, and so it would require manual key rotation, which could add administrative overhead.