AWS Certified Solutions Architect Associate SAA-C03 Practice Question
An organization is looking to migrate sensitive financial records to Amazon S3 for storage and regulatory compliance purposes. The Chief Security Officer (CSO) wants to ensure that the data is encrypted at rest using a managed service that allows control over the encryption keys and their rotation. Which service should be used to encrypt the data at rest while allowing the organization full control over the encryption keys and their rotation schedules?
AWS Key Management Service (KMS) provides control over the encryption keys, including key creation, rotation, and usage policies. It supports key rotation, enabling the organization to adhere to security best practices. Using KMS customer managed keys (CMKs), the organization can define rotation policies including automatic rotation of the keys every year. S3 supports server-side encryption with KMS-managed keys (SSE-KMS) for encrypting data at rest. AWS CloudHSM does provide control over encryption keys but typically is used when organizations require dedicated hardware security modules within their AWS environment. Amazon Macie is a data security service focused on data discovery and protection rather than key management. While AWS Certificate Manager manages SSL/TLS certificates, it does not manage keys for data at rest encryption.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Key Management Service (KMS) and how does it work?
Open an interactive chat with Bash
What does it mean to encrypt data at rest and why is it important?
Open an interactive chat with Bash
What is the difference between customer managed keys (CMKs) and AWS managed keys in KMS?