AWS Certified Developer – Associate (DVA-C02) — Question 149

A developer is planning to migrate on-premises company data to Amazon S3. The data must be encrypted, and the encryption keys must support automatic annual rotation. The company must use AWS Key Management Service (AWS KMS) to encrypt the data.

Which type of keys should the developer use to meet these requirements?

Answer options

• A. Amazon S3 managed keys
• B. Symmetric customer managed keys with key material that is generated by AWS
• C. Asymmetric customer managed keys with key material that is generated by AWS
• D. Symmetric customer managed keys with imported key material

Correct answer: B

Explanation

The correct choice is B, as symmetric customer managed keys generated by AWS allow for automatic annual rotation and meet the encryption requirements. Option A, Amazon S3 managed keys, does not allow for key rotation. Options C and D involve asymmetric keys and imported key material, respectively, which do not align with the requirement for automatic rotation.