AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A company is migrating sensitive customer data to Amazon S3. The company's compliance policy mandates that all data at rest must be encrypted with keys managed by the organizational security team. Which service should be used to manage the encryption keys, and how should it be configured to meet this requirement?
Implement AWS Certificate Manager (AWS ACM) to issue a certificate for securing customer data on S3.
Use the AWS Key Management Service (AWS KMS) to create a Customer Managed Key (CMK) with a key policy that allows only the security team to use it.
Activate Amazon GuardDuty with encryption options to automatically encrypt all data written to Amazon S3.
Enable Amazon S3 server-side encryption with Amazon S3-managed keys (SSE-S3) without additional configurations.
AWS Key Management Service (AWS KMS) is the service that allows customers to create and manage encryption keys. It provides the ability to control the use of the key in cryptographic operations. By creating a Customer Managed Key (CMK) and defining the key policy to allow only the security team to manage and use the key, the compliance requirement can be met. S3 will use this CMK to encrypt data at rest. Other options like AWS Certificate Manager are primarily for managing SSL/TLS certificates, not encryption keys for data at rest, and Amazon S3 server-side encryption does not provide the fine-grained key management needed to comply with the requirement that only the security team can manage the keys.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Key Management Service (AWS KMS)?
Open an interactive chat with Bash
What is a Customer Managed Key (CMK)?
Open an interactive chat with Bash
Why is it important to restrict access to encryption keys?