A company stores sensitive data in Amazon S3. A solutions architect must create an encryption solution that gives the company full control to create, rotate, and disable encryption keys, with minimal effort for any data that must be encrypted. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a customer managed key by using AWS Key Management Service (AWS KMS). Use the key to encrypt the S3 objects by using server-side encryption with AWS KMS keys (SSE-KMS)..
Why this is the answer
The correct solution is to create a customer managed key (CMK) in AWS Key Management Service (KMS) and use it for Server-Side Encryption with AWS KMS keys (SSE-KMS). This approach gives the company full control over key creation, rotation, and disabling, as CMKs are fully managed by the customer within KMS. SSE-KMS handles the encryption and decryption automatically when objects are uploaded or downloaded from S3, minimizing effort. Using SSE-S3 (S3-managed keys) does not provide the customer with control over the keys. An AWS managed key in KMS, while offering some benefits, is still managed by AWS, not the customer, regarding its lifecycle. Manually downloading, encrypting on an EC2 instance, and re-uploading is overly complex, inefficient, and prone to errors, failing the "minimal effort" requirement.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed