AWS Certified SysOps Administrator – Associate — Question 209

A company is building an interactive application for personal finance. The application stores financial data in Amazon S3, and the data must be encrypted. The company does not want to provide its own encryption keys. However, the company wants to maintain an audit trail that shows when an encryption key was used and who used the key.

Which solution will meet these requirements?

Answer options

• A. Use client-side encryption with client-provided keys. Upload the encrypted user data to Amazon S3.
• B. Use server-side encryption with S3 managed encryption keys (SSE-S3) to encrypt the user data on Amazon S3.
• C. Use server-side encryption with customer-provided encryption keys (SSE-C) to encrypt the user data on Amazon S3.
• D. Use server-side encryption with AWS KMS managed encryption keys (SSE-KMS) to encrypt the user data on Amazon S3.

Correct answer: D

Explanation

The correct answer is D because using AWS KMS managed encryption keys (SSE-KMS) allows the company to encrypt data while AWS handles the key management, providing an audit trail for key usage. Options A and C require the company to manage keys themselves, which goes against their requirements. Option B does not provide an audit trail for key usage.