AWS Certified Solutions Architect – Associate (SAA-C03) — Question 909

A company regularly uploads confidential data to Amazon S3 buckets for analysis.

The company's security policies mandate that the objects must be encrypted at rest. The company must automatically rotate the encryption key every year. The company must be able to track key rotation by using AWS CloudTrail. The company also must minimize costs for the encryption key.

Which solution will meet these requirements?

Answer options

• A. Use server-side encryption with customer-provided keys (SSE-C)
• B. Use server-side encryption with Amazon S3 managed keys (SSE-S3)
• C. Use server-side encryption with AWS KMS keys (SSE-KMS)
• D. Use server-side encryption with customer managed AWS KMS keys

Correct answer: C

Explanation

SSE-KMS using the default AWS managed key satisfies all requirements because it automatically rotates the encryption key every year, logs all key usage and rotation events in AWS CloudTrail, and incurs no monthly key fee, minimizing costs. SSE-S3 does not provide CloudTrail auditing for key rotation, while customer managed keys in KMS incur a monthly fee of $1 per key. SSE-C requires the customer to manage and rotate keys manually, which does not meet the automatic rotation requirement.