AWS Certified Solutions Architect – Associate (SAA-C03) — Question 895

A company is designing an application on AWS that processes sensitive data. The application stores and processes financial data for multiple customers.

To meet compliance requirements, the data for each customer must be encrypted separately at rest by using a secure, centralized key management solution. The company wants to use AWS Key Management Service (AWS KMS) to implement encryption.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Generate a unique encryption key for each customer. Store the keys in an Amazon S3 bucket. Enable server-side encryption.
• B. Deploy a hardware security appliance in the AWS environment that securely stores customer-provided encryption keys. Integrate the security appliance with AWS KMS to encrypt the sensitive data in the application.
• C. Create a single AWS KMS key to encrypt all sensitive data across the application.
• D. Create separate AWS KMS keys for each customer's data that have granular access control and logging enabled.

Correct answer: D

Explanation

Creating individual AWS KMS keys for each customer satisfies the compliance requirement for separate encryption at rest while leveraging KMS's built-in key rotation, access policies, and CloudTrail integration with minimal operational effort. Using a single key (Option C) violates the separation requirement, while storing keys in Amazon S3 (Option A) or managing dedicated hardware security appliances (Option B) introduces high operational overhead and security risks.