AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A company utilizes Amazon S3 to store sensitive customer data. They are required by compliance regulations to encrypt their data at rest. Which of the following options adheres to security best practices for managing encryption keys for this scenario?
Implement AWS Certificate Manager (ACM) to create and manage encryption keys used for Amazon S3 server-side encryption.
Store the encryption keys in the same Amazon S3 bucket as the data, using a dedicated directory for keys.
Use AWS Key Management Service (KMS) with customer-managed keys (CMKs) and enable automatic key rotation.
Use AWS Secrets Manager to create and manage encryption keys for Amazon S3 data encryption.
Using AWS Key Management Service (KMS) for handling encryption keys is a security best practice. It provides the company with a managed service to create and control encryption keys, and it automates key rotation. The use of customer-managed keys (CMKs) in KMS allows for an additional level of control and auditability over the default AWS-managed keys. AWS KMS seamlessly integrates with S3 for server-side encryption, making it the most suitable choice. AWS Secrets Manager is mainly used for rotating, managing, and retrieving secret data, and does not provide direct integration with S3 for encryption. Storing keys in Amazon S3 is not secure and does not provide the management capabilities necessary for encryption keys. AWS Certificate Manager (ACM) is primarily used for managing SSL/TLS certificates, not for managing encryption keys for storage services.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Key Management Service (KMS) and how does it work?
Open an interactive chat with Bash
What are customer-managed keys (CMKs) in AWS KMS?
Open an interactive chat with Bash
Why is it insecure to store encryption keys in the same Amazon S3 bucket as the data?