AWS Certified Solutions Architect – Associate (SAA-C02) — Question 75

A company has recently updated its internal security standards. The company must now ensure all Amazon S3 buckets and Amazon Elastic Block Store (Amazon
EBS) volumes are encrypted with keys created and periodically rotated by internal security specialists. The company is looking for a native, software-based AWS service to accomplish this goal.
What should a solutions architect recommend as a solution?

Answer options

• A. Use AWS Secrets Manager with customer master keys (CMKs) to store master key material and apply a routine to create a new CMK periodically and replace it in AWS Secrets Manager.
• B. Use AWS Key Management Service (AWS KMS) with customer master keys (CMKs) to store master key material and apply a routine to re-create a new key periodically and replace it in AWS KMS.
• C. Use an AWS CloudHSM cluster with customer master keys (CMKs) to store master key material and apply a routine to re-create a new key periodically and replace it in the CloudHSM cluster nodes.
• D. Use AWS Systems Manager Parameter Store with customer master keys (CMKs) to store master key material and apply a routine to re-create a new key periodically and replace it in the Parameter Store.

Correct answer: B

Explanation

The correct answer is B, as AWS Key Management Service (AWS KMS) is specifically designed for managing encryption keys and supports the creation and rotation of customer master keys (CMKs). Other options, such as AWS Secrets Manager and AWS Systems Manager Parameter Store, are not primarily focused on key management, while AWS CloudHSM is a more complex solution that may not be necessary for this requirement.