A company will store confidential data in Amazon S3. For compliance, the data must be encrypted at rest, encryption key usage must be logged for auditing, and keys must be rotated every year. Which solution meets these requirements and is the MOST operationally efficient?
Choose an answer
Tap an option to check your answer.
Correct answer: Server-side encryption with AWS KMS keys (SSE-KMS) with automatic rotation.
Why this is the answer
SSE-KMS with automatic rotation is the most operationally efficient solution because it integrates with AWS Key Management Service (KMS), which provides a managed service for creating and controlling encryption keys. KMS automatically logs all key usage to AWS CloudTrail for auditing purposes, fulfilling the logging requirement. Furthermore, KMS offers automatic key rotation, which simplifies compliance by handling the yearly rotation without manual intervention, making it highly operationally efficient. SSE-C requires the customer to manage and provide their own encryption keys, which adds operational overhead and complexity for key rotation and auditing. SSE-S3 uses keys managed by Amazon S3, but these keys are not directly accessible or auditable via CloudTrail for specific key usage, nor do they offer automatic rotation in the same way KMS keys do. SSE-KMS with manual rotation would meet the encryption and logging requirements, but it would not be the most operationally efficient due to the need for manual key rotation.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed