AWS Certified Solutions Architect – Associate (SAA-C03) — Question 639

A company stores sensitive data in Amazon S3. A solutions architect needs to create an encryption solution. The company needs to fully control the ability of users to create, rotate, and disable encryption keys with minimal effort for any data that must be encrypted.

Which solution will meet these requirements?

Answer options

• A. Use default server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to store the sensitive data.
• B. Create a customer managed key by using AWS Key Management Service (AWS KMS). Use the new key to encrypt the S3 objects by using server-side encryption with AWS KMS keys (SSE-KMS).
• C. Create an AWS managed key by using AWS Key Management Service (AWS KMS). Use the new key to encrypt the S3 objects by using server-side encryption with AWS KMS keys (SSE-KMS).
• D. Download S3 objects to an Amazon EC2 instance. Encrypt the objects by using customer managed keys. Upload the encrypted objects back into Amazon S3.

Correct answer: B

Explanation

Customer managed keys in AWS KMS offer full administrative control over the key lifecycle, allowing users to create, rotate, and disable keys with minimal effort via integration with SSE-KMS. AWS managed keys (SSE-KMS) and S3 managed keys (SSE-S3) do not permit users to manually disable or control rotation schedules. Downloading objects to an Amazon EC2 instance for manual encryption introduces high operational complexity and does not meet the requirement of minimal effort.