AWS Certified Solutions Architect – Associate (SAA-C02) — Question 643

A company needs to store contract documents. A contract lasts for 5 years. During the 5-year period, the company must ensure that the documents cannot be overwritten or deleted. The company needs to encrypt the documents at rest and rotate the encryption keys automatically every year.
Which combination of steps should a solutions architect take to meet these requirements with the LEAST operational overhead? (Choose two.)

Answer options

• A. Store the documents in Amazon S3. Use S3 Object Lock in governance mode.
• B. Store the documents in Amazon S3. Use S3 Object Lock in compliance mode.
• C. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure key rotation.
• D. Use server-side encryption with AWS Key Management Service (AWS KMS) customer managed keys. Configure key rotation.
• E. Use server-side encryption with AWS Key Management Service (AWS KMS) customer provided (imported) keys. Configure key rotation.

Correct answer: B, C

Explanation

S3 Object Lock in compliance mode (Option B) ensures that no user, including the root account, can delete or overwrite the documents during the 5-year retention period, whereas governance mode (Option A) allows certain users to bypass restrictions. Server-side encryption with Amazon S3 managed keys (SSE-S3) (Option C) automatically encrypts the data and rotates keys annually with zero operational overhead. Using AWS KMS customer managed or imported keys (Options D and E) would meet the security requirements but would introduce unnecessary operational overhead for key management.