A company regularly uploads confidential data to Amazon S3 for analysis. Security policy requires objects be encrypted at rest, the encryption key must be automatically rotated annually, key rotation must be trackable in AWS CloudTrail, and key costs must be minimized. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Use server-side encryption with AWS KMS keys (SSE-KMS).
Why this is the answer
SSE-KMS (Server-Side Encryption with AWS KMS keys) is the correct choice because it directly addresses all requirements. KMS keys are automatically rotated annually by default, and this rotation is trackable in CloudTrail. While KMS incurs a small cost per API call, it's generally cost-effective for this use case compared to managing custom keys. SSE-C requires customers to manage and rotate their own encryption keys, which doesn't meet the automatic rotation requirement. SSE-S3 uses S3-managed keys, which are automatically rotated, but the rotation is not trackable in CloudTrail. Using customer-managed AWS KMS keys would provide trackable rotation, but the question specifies minimizing key costs, and AWS-managed KMS keys are generally more
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed