AWS Certified Solutions Architect – Associate (SAA-C02) — Question 552

A company is planning to move its data to an Amazon S3 bucket. The data must be encrypted when it is stored in the S3 bucket. Additionally, the encryption key must be automatically rotated every year.
Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Move the data to the S3 bucket. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Use the built-in key rotation behavior of SSE-S3 encryption keys.
• B. Create an AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Set the S3 bucket's default encryption behavior to use the customer managed KMS key. Move the data to the S3 bucket.
• C. Create an AWS Key Management Service (AWS KMS) customer managed key. Set the S3 bucket's default encryption behavior to use the customer managed KMS key Move the data to the S3 bucket. Manually rotate the KMS key every year
• D. Encrypt the data with customer key material before moving the data to the S3 bucket. Create an AWS Key Management Service (AWS KMS) key without key material. Import the customer key material into the KMS key. Enable automatic key rotation.

Correct answer: B

Explanation

AWS KMS customer managed keys support automatic annual rotation, which directly satisfies the requirement with minimal operational effort when configured as the S3 bucket's default encryption. SSE-S3 keys are managed by AWS and do not rotate on a customer-configurable annual schedule. Manual rotation and importing custom key material both introduce significant operational overhead and do not support native automatic rotation.