AWS Certified Solutions Architect – Associate (SAA-C02) — Question 342

A company is preparing to deploy a data lake on AWS. A solutions architect must define the encryption strategy tor data at rest m Amazon S3/ The company's security policy states:
✑ Keys must be rotated every 90 days.
✑ Strict separation of duties between key users and key administrators must be implemented.
✑ Auditing key usage must be possible.
What should the solutions architect recommend?

Answer options

• A. Server-side encryption with AWS KMS managed keys (SSE-KMS) with customer managed customer master keys (CMKs)
• B. Server-side encryption with AWS KMS managed keys (SSE-KMS) with AWS managed customer master keys (CMKs)
• C. Server-side encryption with Amazon S3 managed keys (SSE-S3) with customer managed customer master keys (CMKs)
• D. Server-side encryption with Amazon S3 managed keys (SSE-S3) with AWS managed customer master keys (CMKs)

Correct answer: A

Explanation

SSE-KMS with customer managed CMKs allows administrators to define custom key policies to enforce a strict separation of duties between key administrators and key users, while also supporting custom or manual key rotation schedules (such as every 90 days). AWS managed CMKs do not allow modifications to their key policies and are automatically rotated only once every three years. SSE-S3 options are incorrect because SSE-S3 does not support customer-managed CMKs or the level of access control required for strict separation of duties.