AWS Certified Developer – Associate (DVA-C02) — Question 185

A developer is storing sensitive data generated by an application in Amazon S3. The developer wants to encrypt the data at rest. A company policy requires an audit trail of when the AWS Key Management Service (AWS KMS) key was used and by whom.

Which encryption option will meet these requirements?

Answer options

• A. Server-side encryption with Amazon S3 managed keys (SSE-S3)
• B. Server-side encryption with AWS KMS managed keys (SSE-KMS)
• C. Server-side encryption with customer-provided keys (SSE-C)
• D. Server-side encryption with self-managed keys

Correct answer: B

Explanation

The correct answer is B, as Server-side encryption with AWS KMS managed keys (SSE-KMS) provides detailed logging of key usage, which satisfies the company's requirement for an audit trail. Options A, C, and D do not offer the same level of auditing and management as SSE-KMS, making them unsuitable for the given requirements.