ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 386 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02
Question #: 386
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A company is preparing to deploy a data lake on AWS. A solutions architect must define the encryption strategy tor data at rest m Amazon S3/ The company's security policy states:
✑ Keys must be rotated every 90 days.
✑ Strict separation of duties between key users and key administrators must be implemented.
✑ Auditing key usage must be possible.
What should the solutions architect recommend?

  • A. Server-side encryption with AWS KMS managed keys (SSE-KMS) with customer managed customer master keys (CMKs)
  • B. Server-side encryption with AWS KMS managed keys (SSE-KMS) with AWS managed customer master keys (CMKs)
  • C. Server-side encryption with Amazon S3 managed keys (SSE-S3) with customer managed customer master keys (CMKs)
  • D. Server-side encryption with Amazon S3 managed keys (SSE-S3) with AWS managed customer master keys (CMKs)
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by dmscountera at March 11, 2021, 6:36 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
syu31svc
Highly Voted 3 years, 7 months ago
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html: "AWS managed CMKs. You cannot manage key rotation for AWS managed CMKs. AWS KMS automatically rotates AWS managed CMKs every three years (1095 days)." Answer is A
upvoted 24 times
Praps1
3 years, 7 months ago
So shouldnt anwer B
upvoted 3 times
cl_16
3 years, 6 months ago
AWS KMS only allows automatic rotation, while customer-managed allow on-demand manual rotation.
upvoted 3 times
...
...
Heyang
3 years, 6 months ago
Answer is A. AWS-managed CMK only supports this kind of key rotation "Once every three years automatically" https://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/aws-managed-and-customer-managed-cmks.html
upvoted 8 times
Heyang
3 years, 6 months ago
Auditing key usage must be possible = SSM-KMS
upvoted 6 times
...
...
mahdeo01
3 years, 6 months ago
Server-Side Encryption: Using SSE-KMS: You can protect data at rest in Amazon S3 by using three different modes of server-side encryption: SSE-S3, SSE-C, or SSE-KMS. 1) SSE-S3 requires that Amazon S3 manage the data and the encryption keys. For more information about SSE-S3, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3). 2) SSE-C requires that you manage the encryption key. For more information about SSE-C, see Protecting Data Using Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C). 3) SSE-KMS requires that AWS manage the data key but you manage the customer master key (CMK) in AWS KMS. REF >> https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html
upvoted 4 times
...
...
jkwek
Highly Voted 3 years, 6 months ago
Answer is A. Cryptographic best practices discourage extensive reuse of encryption keys. To create new cryptographic material for your AWS Key Management Service (AWS KMS) customer master keys (CMKs), you can create new CMKs, and then change your applications or aliases to use the new CMKs. Or, you can enable automatic key rotation for an existing customer managed CMK.
upvoted 8 times
...
BECAUSE
Most Recent 1 year, 11 months ago
Selected Answer: A
A is the answer
upvoted 1 times
...
Faye2
2 years, 11 months ago
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt
upvoted 1 times
...
Faye2
2 years, 11 months ago
Old question, AWS changed key rotation policies from every 3 years to every 1 year in May 2022
upvoted 2 times
...
examJack
3 years, 1 month ago
Selected Answer: A
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
upvoted 1 times
...
Indusri
3 years, 6 months ago
key word is "encryption strategy tor data at rest" So answer is A
upvoted 1 times
...
solee
3 years, 6 months ago
Answer is not B? B - SSE-KMS with AWS managed customer master keys (CMKs) A - SSE-KMS with customer managed customer master keys (CMKs) - this is not AWS managed CMK
upvoted 1 times
...
vietan
3 years, 6 months ago
Answer is A. AWS-managed CMK only supports this kind of key rotation "Once every three years automatically" https://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/aws-managed-and-customer-managed-cmks.html
upvoted 4 times
...
DMR
3 years, 6 months ago
Customer managed CMKs Customer managed CMKs are CMKs in your AWS account that you create, own, and manage. You have full control over these CMKs, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the CMK, and scheduling the CMKs for deletion. https://aws.amazon.com/premiumsupport/knowledge-center/s3-object-encrpytion-keys/ https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
upvoted 1 times
...
jkwek
3 years, 7 months ago
Answer is A. https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
upvoted 2 times
...
GameLift
3 years, 7 months ago
Why not C?
upvoted 1 times
Twinkie
3 years, 6 months ago
It seems that SSE-S3 does not support CloudTrail therefore only SSE-KMS (A) is audit-ready.
upvoted 4 times
...
...
KK_uniq
3 years, 7 months ago
A for sure since AWS managed CMK has only automatic rotation
upvoted 4 times
...
waqas
3 years, 7 months ago
Its A.
upvoted 4 times
...
dmscountera
3 years, 7 months ago
A. Server-side encryption with AWS KMS managed keys (SSE-KMS) with customer managed customer master keys (CMKs)
upvoted 6 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago