Which strategy is the MOST operationally efficient for the company to use to meet these requirements?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A company has multiple business units.Each business unit has its own AWS account and runs a single website within that account.The company also has a single logging account.Logs from each business unit website are aggregated into a single Amazon S3 bucket in the logging account.The S3 bucket policy provides each business unit with access to write data into the bucket and requires data to be encrypted.The company needs to encrypt logs uploaded into the bucket using a single AWS Key Management Service (AWS KMS) CMK.The CMK that protects the data must be rotated once every 365 days.

Which strategy is the MOST operationally efficient for the company to use to meet these requirements?

Create a customer managed CMK in the logging account. Update the CMK key policy to provide access to the logging account only. Manually rotate the CMK every 365 days.

Create a customer managed CMK in the logging account. Update the CMK key policy to provide access to the logging account and business unit accounts. Enable automatic rotation of the CMK.

Use an AWS managed CMK in the logging account. Update the CMK key policy to provide access to the logging account and business unit accounts. Manually rotate the CMK every 365 days.

Use an AWS managed CMK in the logging account. Update the CMK key policy to provide access to the logging account only. Enable automatic rotation of the CMK.

Explanations:

This option involves creating a customer managed CMK but restricts access to the logging account only. While it meets the encryption requirement, it does not allow the business units to write logs, as they need access to the CMK. Additionally, manual rotation every 365 days is less operationally efficient compared to automatic rotation.

This option creates a customer managed CMK with access granted to both the logging account and the business unit accounts. It allows all units to write logs while enabling automatic rotation of the CMK, which aligns with the requirement for operational efficiency and reduces the manual workload associated with key management.

This option uses an AWS managed CMK, which does not allow for custom key policies and does not provide the control necessary to grant access to specific accounts. It also requires manual rotation every 365 days, which is not as efficient as automatic rotation, making it a poor choice for the requirement.

While this option uses an AWS managed CMK, which simplifies management, it restricts access to the logging account only. The business units would not be able to encrypt their logs as they lack access to the key. Enabling automatic rotation is positive, but without the necessary access, it fails to meet the requirement.

2025-09-30

1 Comment

  1. Mary
    Author

    Based on what I know, the answer is:
    Create a customer managed CMK in the logging account. Update the CMK key policy to provide access to the logging account and business unit accounts. Enable automatic rotation of the CMK.

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty − nineteen =