AWS Certified Data Analytics – Specialty — Question 53

A company uses the Amazon Kinesis SDK to write data to Kinesis Data Streams. Compliance requirements state that the data must be encrypted at rest using a key that can be rotated. The company wants to meet this encryption requirement with minimal coding effort.
How can these requirements be met?

Answer options

• A. Create a customer master key (CMK) in AWS KMS. Assign the CMK an alias. Use the AWS Encryption SDK, providing it with the key alias to encrypt and decrypt the data.
• B. Create a customer master key (CMK) in AWS KMS. Assign the CMK an alias. Enable server-side encryption on the Kinesis data stream using the CMK alias as the KMS master key.
• C. Create a customer master key (CMK) in AWS KMS. Create an AWS Lambda function to encrypt and decrypt the data. Set the KMS key ID in the function's environment variables.
• D. Enable server-side encryption on the Kinesis data stream using the default KMS key for Kinesis Data Streams.

Correct answer: B

Explanation

Option B is correct because it directly enables server-side encryption on the Kinesis data stream using a customer master key (CMK) from AWS KMS, which meets the compliance requirement with minimal coding. Option A requires additional coding with the AWS Encryption SDK, while Option C involves creating an AWS Lambda function, which increases complexity. Option D does not fulfill the requirement for a rotating key, as it uses the default KMS key.