AWS Certified Solutions Architect – Associate (SAA-C03) — Question 170

A company needs to store contract documents. A contract lasts for 5 years. During the 5-year period, the company must ensure that the documents cannot be overwritten or deleted. The company needs to encrypt the documents at rest and rotate the encryption keys automatically every year.

Which combination of steps should a solutions architect take to meet these requirements with the LEAST operational overhead? (Choose two.)

Answer options

• A. Store the documents in Amazon S3. Use S3 Object Lock in governance mode.
• B. Store the documents in Amazon S3. Use S3 Object Lock in compliance mode.
• C. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure key rotation.
• D. Use server-side encryption with AWS Key Management Service (AWS KMS) customer managed keys. Configure key rotation.
• E. Use server-side encryption with AWS Key Management Service (AWS KMS) customer provided (imported) keys. Configure key rotation.

Correct answer: B, D

Explanation

Option B is correct because S3 Object Lock in compliance mode ensures that the documents are immutable and cannot be deleted or modified for the specified retention period. Option D is correct as AWS KMS customer managed keys can be automatically rotated, providing the necessary encryption key management. The other options either do not meet the immutability requirement (A) or use encryption methods that do not allow for automatic key rotation (C, E).