Which of the following meets these requirements?

By:
In: SCS-C01
Tagged:
With: 2 Comments
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of `Sensitive,` `Confidential,` and `Restricted.` The security solution must meet all of the following requirements:✑ Each object must be encrypted using a unique key.✑ Items that are stored in the `Restricted` bucket require two-factor authentication for decryption.✑ AWS KMS must automatically rotate encryption keys annually.

Which of the following meets these requirements?

Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the ג€Restrictedג€ CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.

Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.

Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.

Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the ג€Restrictedג€ key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.

Explanations:

This option satisfies all the requirements: it creates a separate CMK for each classification type, enables annual key rotation, and defines MFA policy for theRestrictedbucket using KMS key policy. SSE-KMS is used to encrypt the objects, ensuring unique encryption keys.

Grants are not suitable for this requirement. The option mentions using a CMK grant with attributes like EnableKeyRotation and MultiFactorAuthPresent, but grants are typically used for delegating permissions, not for managing encryption keys or enforcing MFA for decryption.

The option suggests using DEK grants, which are not a valid concept in AWS KMS. While it is correct that CMKs can be used, the use of DEK grants is not part of how AWS KMS works for encrypting objects. The MFA policy should also be part of the key policy, not in a CMK policy.

Importing key material and setting unique imported key material for each classification type is unnecessary for this use case. It adds unnecessary complexity and doesn’t align with the requirements. AWS KMS key rotation already handles automatic annual rotation. Additionally, MFA should be managed via key policy, not key material.

2026-03-27

2 Comments

  1. Bruce
    Author

    I systematize that the answer is:
    Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the ג€Restrictedג€ CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.

  2. Diane
    Author

    In my experience, the answer is:
    Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the ג€Restrictedג€ CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.

Leave a Reply

Your email address will not be published. Required fields are marked *

two × 5 =