AWS Certified Solutions Architect – Associate (SAA-C02) — Question 352

A company is preparing to store confidential data in Amazon S3. For compliance reasons, the data must be encrypted at rest. Encryption key usage must be logged for auditing purposes. Keys must be rotated every year.
Which solution meets these requirements and is the MOST operationally efficient?

Answer options

• A. Server-side encryption with customer-provided keys (SSE-C)
• B. Server-side encryption with Amazon S3 managed keys (SSE-S3)
• C. Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with manual rotation
• D. Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with automatic rotation

Correct answer: D

Explanation

Option D is correct because SSE-KMS provides the required audit logs via AWS CloudTrail and supports automatic annual rotation of customer managed keys, minimizing operational effort. SSE-S3 (Option B) and SSE-C (Option A) do not provide the necessary key usage auditing or simplified annual rotation management under the customer's control. Option C is less operationally efficient than Option D because manual rotation introduces unnecessary administrative overhead.