AWS Certified Solutions Architect – Associate (SAA-C03) — Question 109

A company is preparing to store confidential data in Amazon S3. For compliance reasons, the data must be encrypted at rest. Encryption key usage must be logged for auditing purposes. Keys must be rotated every year.
Which solution meets these requirements and is the MOST operationally efficient?

Answer options

• A. Server-side encryption with customer-provided keys (SSE-C)
• B. Server-side encryption with Amazon S3 managed keys (SSE-S3)
• C. Server-side encryption with AWS KMS keys (SSE-KMS) with manual rotation
• D. Server-side encryption with AWS KMS keys (SSE-KMS) with automatic rotation

Correct answer: D

Explanation

Option D is correct because it allows for automatic key rotation and meets the requirements for encryption, logging, and compliance efficiently. Option A requires manual key management, which is less operationally efficient. Option B does not provide the necessary key rotation or logging features. Option C, while it uses AWS KMS, still requires manual key rotation, making it less efficient than option D.