A company plans to migrate data to an Amazon S3 bucket. Data must be encrypted at rest in S3, and the encryption key must be rotated automatically every year. Which solution meets these requirements with the LEAST operational overhead?
Choose an answer
Tap an option to check your answer.
Correct answer: Create an AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Set the S3 bucket's default encryption to use the customer managed KMS key. Migrate the data to the S3 bucket..
Why this is the answer
The correct solution leverages AWS KMS customer managed keys (CMKs) with automatic key rotation enabled. This meets the requirement for encryption at rest and automatic annual key rotation with minimal operational overhead, as KMS handles the rotation. Setting the S3 bucket's default encryption to use this CMK ensures all new objects are encrypted appropriately. Using SSE-S3 (S3 managed keys) does not allow for automatic annual rotation of the encryption key; S3 rotates these keys on an irregular schedule, not annually. Manually rotating a KMS key every year increases operational overhead, failing the "least operational overhead" requirement. Importing customer key material into KMS is more complex and doesn't inherently provide automatic annual rotation for the imported material itself, nor is it necessary to meet the stated requirements.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed