AWS Certified Solutions Architect – Professional — Question 567

A company has multiple business units. Each business unit has its own AWS account and runs a single website within that account. The company also has a single logging account. Logs from each business unit website are aggregated into a single Amazon S3 bucket in the logging account. The S3 bucket policy provides each business unit with access to write data into the bucket and requires data to be encrypted.
The company needs to encrypt logs uploaded into the bucket using a single AWS Key Management Service (AWS KMS) CMK. The CMK that protects the data must be rotated once every 365 days.
Which strategy is the MOST operationally efficient for the company to use to meet these requirements?

Answer options

• A. Create a customer managed CMK in the logging account. Update the CMK key policy to provide access to the logging account only. Manually rotate the CMK every 365 days.
• B. Create a customer managed CMK in the logging account. Update the CMK key policy to provide access to the logging account and business unit accounts. Enable automatic rotation of the CMK.
• C. Use an AWS managed CMK in the logging account. Update the CMK key policy to provide access to the logging account and business unit accounts. Manually rotate the CMK every 365 days.
• D. Use an AWS managed CMK in the logging account. Update the CMK key policy to provide access to the logging account only. Enable automatic rotation of the CMK.

Correct answer: B

Explanation

AWS managed CMKs do not support cross-account sharing or custom key policies, and their automatic rotation period cannot be adjusted to 365 days, ruling out options C and D. A customer managed CMK is required to allow the business unit accounts to encrypt logs written to the central S3 bucket. Enabling automatic rotation on a customer managed CMK automatically rotates the key every 365 days, making it the most operationally efficient choice compared to manual rotation.