AWS Certified Solutions Architect Associate SAA-C03 Practice Question
An enterprise needs to ensure the encryption of sensitive data stored in their Amazon S3 buckets. The company has mandated that its own encryption keys must be used, which requires them to be periodically rotated and immediately disabled in the event of a security breach. Which of the following configurations should be implemented to meet these specific requirements?
Use an AWS Managed CMK in AWS KMS without enabling key rotation.
Use AWS KMS managed keys and enable the automatic rotation feature, which occurs annually.
Use Amazon S3-Managed Keys (SSE-S3) for encryption and handle rotation outside of AWS.
Create a customer-managed CMK in AWS KMS, enable manual rotation, and use this key to encrypt the S3 buckets.
The use of a customer-managed customer master key (CMK) in AWS Key Management Service (AWS KMS) meets the enterprise's requirement since it allows the users to create, manage, and rotate their own encryption keys according to their requirements. The CMKs can be rotated manually according to the company's rotation policy or disabled immediately in case of a security breach. AWS KMS automated rotation feature is applied only once yearly and does not provide the necessary control over the rotation frequency or immediate disablement of keys. AWS S3-Managed Keys (SSE-S3) and AWS Managed CMKs do not provide the capability for customer-managed rotation and immediate disablement of keys.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a CMK in AWS KMS?
Open an interactive chat with Bash
Why is manual rotation of keys important?
Open an interactive chat with Bash
What is the difference between customer-managed and AWS-managed keys?