AWS Certified Developer – Associate — Question 178

A developer is storing sensitive data generated by an application in Amazon S3. The developer wants to encrypt the data at rest A company policy requires an audit trail of when the AWS Key Management Service (AWS KMS) key was used and by whom.

Which encryption option will meet these requirements?

Answer options

• A. Server-side encryption with Amazon S3 managed keys (SSE-S3)
• B. Server-side encryption with AWS KMS managed keys (SSE-KMS)
• C. Server-side encryption with customer-provided keys (SSE-C)
• D. Server-side encryption with self-managed keys

Correct answer: B

Explanation

The correct answer is B, as server-side encryption with AWS KMS managed keys (SSE-KMS) provides the necessary audit trail for key usage through AWS CloudTrail, fulfilling the company's requirement. Option A (SSE-S3) does not offer the same level of auditing, while option C (SSE-C) relies on the customer for key management and lacks built-in auditing. Option D (self-managed keys) also does not integrate with AWS's auditing capabilities.