Exam AWS Certified Developer Associate All Questions

View all questions & answers for the AWS Certified Developer Associate exam

Exam AWS Certified Developer Associate topic 1 question 131 discussion

Exam question from Amazon's AWS Certified Developer Associate

Question #: 131
Topic #: 1

[All AWS Certified Developer Associate Questions]

A company stores documents in Amazon S3 with default settings. A new regulation requires the company to encrypt the documents at rest, rotate the encryption keys annually, and keep a record of when the encryption keys were rotated. The company does not want to manage the encryption keys outside of AWS.
Which solution will meet these requirements?

A. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3).
B. Use server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
C. Use server-side encryption with customer-provided encryption keys (SSE-C).
D. Use client-side encryption before sending the data to Amazon S3.

Show Suggested Answer

Suggested Answer: B 🗳️

by Chhotu_DBA at Sept. 1, 2022, 12:14 a.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

Chhotu_DBA

Highly Voted 2 years, 10 months ago

Selected Answer: B

it should be B

upvoted 10 times

Spamuel

2 years, 9 months ago

Agreed - AWS KMS provides auditability, where as s3 does not.

upvoted 1 times

...

gary_gary

Highly Voted 2 years, 9 months ago

Selected Answer: B

Server-Side Encryption with AWS KMS keys (SSE-KMS) is similar to SSE-S3, but with some additional benefits and charges for using this service. There are separate permissions for the use of a KMS key that provides added protection against unauthorized access of your objects in Amazon S3. SSE-KMS also provides you with an audit trail that shows when your KMS key was used and by whom. Additionally, you can create and manage customer managed keys or use AWS managed keys that are unique to you, your service, and your Region. https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html

upvoted 8 times

...

SD_CS

Most Recent 1 year, 5 months ago

Selected Answer: B

It clearly states that the Customer does not want to manage the key outside of AWS. Hence going for B, C cannot be correct

upvoted 1 times

...

AswinDe

1 year, 11 months ago

How can it be C? Customer does not want to manager key in out of AWS.

upvoted 2 times

...

pancman

2 years, 4 months ago

Selected Answer: B

B is the answer due to the rotation and audit requirements. SSE-KMS shows you when your KMS key was used and by whom. This type of records are not kept with S3 managed keys.

upvoted 2 times

...

Phinx

2 years, 5 months ago

Selected Answer: B

SSS-S3 key rotation is not per year, it's random.

upvoted 1 times

ninomfr64

1 year, 10 months ago

Docs mention this "Server-side encryption protects data at rest. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a key that it rotates regularly". It seems the key is not rotate, instead key used to encrypt it is rotate. Rotation frequency is not mentioned. https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html

upvoted 1 times

...

sichilam

2 years, 5 months ago

I vote for B

upvoted 1 times

...

ayoubmk

2 years, 6 months ago

Selected Answer: A

Amazon S3 managed encryption keys can do all requirements. The main advantage of SSE-KMS over SSE-S3 is the additional level of security provided by permissions on the KMS key itself an audit trail that shows when your KMS key was used and by whom. !! There is nothing specified in the description about securing the KMS key or auditing the usage Sure B is better than A but that requires an additional cost. I think the objectif is to choose the better solution with a minimal cost ? And now

upvoted 2 times