AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A company is required to enforce strict access policies regarding the management of its encryption keys used to secure sensitive data at rest on Amazon S3. Which of the following is the BEST method to ensure that only a select group of senior security personnel can administer the keys?
Encapsulate the encryption keys using an additional layer of encryption with a separate master key.
Use AWS managed keys for S3 and rely on default encryption features to restrict key administration.
Implement automatic key rotation every three months for the encryption keys.
Create a Customer Managed Key in AWS KMS and restrict access to a specific IAM group assigned to the senior security personnel.
Creating a Customer Managed Key in AWS Key Management Service (KMS) and using IAM policies to restrict access to that key to a specific IAM group containing the senior security personnel provides a secure way to allow only authorized staff to manage the keys. This fits the principle of least privilege by specifically designating which IAM identities have permissions to perform key administrative operations. Using AWS managed keys does not provide the same level of granular control over access permissions. Encrypting the keys with another key would add complexity without solving the access control requirement. Rotating keys independently of access policies ensures keys are refreshed regularly but does not address who can manage key permissions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS KMS and why is it used?
Open an interactive chat with Bash
What are IAM policies and how do they work with AWS KMS?