A company maintains sensitive data in an Amazon S3 bucket that must be protected using an AWS KMS CMK. The company requires that keys be rotated automatically every year. How should the bucket be configured?
A.
Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an AWS-managed CMK.
B.
Select Amazon S3-AWS KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.
C.
Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material.
D.
Select server-side encryption with AWS KMS-managed keys (SSE-KMS) and select an alias to an AWS-managed CMK.
A, C- SSE-S3 encrypts the data key with a master key that is regularly rotated. however, you cannot define the rotation as annually. B is wrong because S3-KMS does not exist. D is the correct. Now, it can be changed every year, it was 3 years some time ago
D - AWS Managed CMK is 3 years rotation.
You can use SSE-KMS with either customer managed key or the default AWS managed key.
You can set yours to rotate every one year + AWS key now rotates every annualy instead of each 3 years.
B -To protect the sensitive data in an Amazon S3 bucket, the bucket should be configured with server-side encryption. The AWS Key Management Service (KMS) can be used to manage the encryption keys. To automatically rotate the keys every year, a customer-managed CMK with key rotation enabled should be used.
AWS automatically rotates key material for AWS-owned and AWS-managed keys.
Rotation is done annually for AWS-managed keys, whilst customers can choose to enable annual rotation for some Customer-managed keys. D
A and C are wrong. There is nothing called S3-KMS, so B is out, the correct answer is D because as of May 2022, AWS KMS changed the rotation schedule for AWS managed keys from every three years to every year. https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-aws-managed-keys
D is correct as AWS managed keys can now be rotated automatically every 1 year ,this change was done in May 2022,refer:https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-aws-managed-keys
AWS Managed keys are now rotated every year, as at may 2022
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-aws-managed-keys
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
luis12345
Highly Voted 3 years, 7 months agoawssecuritynewbie
3 years, 7 months agoOpiyo
3 years, 7 months agoGSH
3 years, 6 months agoawssecuritynewbie
3 years, 6 months agoBalki
Highly Voted 2 years, 4 months agoArad
Most Recent 11 months, 2 weeks agoAnto1973
1 year, 8 months agoscanner2
1 year, 10 months agomatrpro
1 year, 12 months agoDmosh
2 years agoITGURU51
2 years agoNikhil0222
2 years agoITGURU51
2 years agoarchitectwithus
2 years, 4 months agoGeorgeDobrisan
2 years, 5 months ago[Removed]
2 years, 6 months agoiamsrk
2 years, 6 months agosapien45
2 years, 8 months agovbal
2 years, 8 months agoMDJago
2 years, 8 months ago