Which solution meets these requirements and is the MOST operationally efficient?

By:
In: SAA-C02
Tagged:
With: 1 Comment
A company is preparing to store confidential data in Amazon S3.For compliance reasons, the data must be encrypted at rest.Encryption key usage must be logged for auditing purposes.Keys must be rotated every year.

Which solution meets these requirements and is the MOST operationally efficient?

Server-side encryption with customer-provided keys (SSE-C)

Server-side encryption with Amazon S3 managed keys (SSE-S3)

Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with manual rotation

Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with automatic rotation

Explanations:

SSE-C requires the user to manage encryption keys manually and does not provide automatic logging of key usage or automatic key rotation. This increases operational overhead and complexity.

SSE-S3 uses Amazon S3-managed keys, which simplifies management but does not allow for key usage logging or compliance auditing as required. It also does not support customer-controlled key rotation.

While SSE-KMS with manual key rotation meets the encryption and logging requirements, the manual key rotation process is less operationally efficient than automatic rotation, requiring more administrative effort and management.

SSE-KMS with automatic key rotation provides encryption at rest, logs key usage for compliance auditing, and automates the key rotation process every year, making it the most operationally efficient option.

2025-10-17

1 Comment

  1. Laura
    Author

    I have a feeling that the answer is:
    Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with automatic rotation

Leave a Reply

Your email address will not be published. Required fields are marked *

nine + 16 =