AWS Certified Developer – Associate — Question 371

A company stores documents in Amazon S3 with default settings. A new regulation requires the company to encrypt the documents at rest, rotate the encryption keys annually, and keep a record of when the encryption keys were rotated. The company does not want to manage the encryption keys outside of AWS.
Which solution will meet these requirements?

Answer options

• A. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3).
• B. Use server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
• C. Use server-side encryption with customer-provided encryption keys (SSE-C).
• D. Use client-side encryption before sending the data to Amazon S3.

Correct answer: B

Explanation

AWS KMS managed keys (SSE-KMS) support automatic annual key rotation and log all key rotation events, satisfying all regulatory and tracking requirements without requiring external key management. In contrast, SSE-S3 does not offer tracking or visibility into key rotation history, while SSE-C and client-side encryption shift the burden of key management back to the customer.