What should the solutions architect recommend?

By:
In: SAA-C02
Tagged:
With: 1 Comment
A company is preparing to deploy a data lake on AWS.A solutions architect must define the encryption strategy tor data at rest m Amazon S3/ The company’s security policy states:✑ Keys must be rotated every 90 days.✑ Strict separation of duties between key users and key administrators must be implemented.✑ Auditing key usage must be possible.

What should the solutions architect recommend?

Server-side encryption with AWS KMS managed keys (SSE-KMS) with customer managed customer master keys (CMKs)

Server-side encryption with AWS KMS managed keys (SSE-KMS) with AWS managed customer master keys (CMKs)

Server-side encryption with Amazon S3 managed keys (SSE-S3) with customer managed customer master keys (CMKs)

Server-side encryption with Amazon S3 managed keys (SSE-S3) with AWS managed customer master keys (CMKs)

Explanations:

Using SSE-KMS with customer managed CMKs allows for key rotation every 90 days, ensures strict separation of duties through IAM policies, and provides detailed auditing capabilities for key usage.

While SSE-KMS with AWS managed CMKs provides encryption and some level of key management, it does not allow for customer-controlled key rotation, which does not meet the requirement of rotating keys every 90 days.

SSE-S3 uses S3-managed keys, which do not support customer-managed CMKs, key rotation policies, or detailed auditing, failing to meet the company’s security policy requirements.

Similar to option C, SSE-S3 with AWS managed CMKs lacks the ability to rotate keys as per the company’s policy, and does not provide sufficient separation of duties or auditing for key usage.

2025-10-03

1 Comment

  1. Ryan
    Author

    I compute that the answer is:
    Server-side encryption with AWS KMS managed keys (SSE-KMS) with customer managed customer master keys (CMKs)

Leave a Reply

Your email address will not be published. Required fields are marked *

14 − nine =