The encryption key must be managed by the company and rotated periodicallyWhich of the following solutions should the solutions architect recommend?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A company is migrating an application to AWS.It wants to use fully managed services as much as possible during the migration.The company needs to store large important documents within the application with the following requirements:1.The data must be highly durable and available2.The data must always be encrypted at rest and in transit3.

The encryption key must be managed by the company and rotated periodicallyWhich of the following solutions should the solutions architect recommend?

Deploy the storage gateway to AWS in file gateway mode. Use Amazon EBS volume encryption using an AWS KMS key to encrypt the storage gateway volumes.

Use Amazon S3 with a bucket policy to enforce HTTPS for connections to the bucket and to enforce server-side encryption and AWS KMS for object encryption.

Use Amazon DynamoDB with SSL to connect to DynamoDB. Use an AWS KMS key to encrypt DynamoDB objects at rest.

Deploy instances with Amazon EBS volumes attached to store this data. Use EBS volume encryption using an AWS KMS key to encrypt the data.

Explanations:

While a storage gateway can provide access to on-premises data in AWS, it is not the best fit for this requirement. EBS volume encryption relies on AWS KMS but does not allow the company to manage its own encryption keys directly, as the keys are managed by AWS KMS.

Amazon S3 provides high durability and availability. It supports server-side encryption with AWS KMS, allowing the company to manage its encryption keys and rotate them as needed. Additionally, a bucket policy can enforce HTTPS for secure data transfer, ensuring that data is encrypted in transit and at rest.

While Amazon DynamoDB supports SSL for encryption in transit and can encrypt data at rest using AWS KMS, it does not give the company full control over key management since AWS KMS manages the keys. This does not meet the requirement for the company to manage and rotate its own encryption keys.

Using Amazon EBS volumes with encryption is not a fully managed service and requires management of EC2 instances, which goes against the requirement for fully managed services. Although EBS supports encryption with AWS KMS, it does not allow the company to manage its own keys directly.

2025-10-20

1 Comment

  1. John
    Author

    As I understand it, the answer is:
    Use Amazon S3 with a bucket policy to enforce HTTPS for connections to the bucket and to enforce server-side encryption and AWS KMS for object encryption.

Leave a Reply

Your email address will not be published. Required fields are marked *

two × 1 =