Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 189 discussion

A company needs to store contract documents. A contract lasts for 5 years. During the 5-year period, the company must ensure that the documents cannot be overwritten or deleted. The company needs to encrypt the documents at rest and rotate the encryption keys automatically every year.

Which combination of steps should a solutions architect take to meet these requirements with the LEAST operational overhead? (Choose two.)

  • A. Store the documents in Amazon S3. Use S3 Object Lock in governance mode.
  • B. Store the documents in Amazon S3. Use S3 Object Lock in compliance mode.
  • C. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure key rotation.
  • D. Use server-side encryption with AWS Key Management Service (AWS KMS) customer managed keys. Configure key rotation.
  • E. Use server-side encryption with AWS Key Management Service (AWS KMS) customer provided (imported) keys. Configure key rotation.
Show Suggested Answer Hide Answer
Suggested Answer: CE ūüó≥ÔłŹ

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
[Removed]
Highly Voted 1 year, 6 months ago
Selected Answer: BD
Originally answered B and C due to least operational overhead. after research its bugging me that the s3 key rotation is determined based on AWS master Key rotation which cannot guarantee the key is rotated with in a 365 day period. stated as "varies" in the documentation. also its impossible to configure this in the console. KMS-C is a tick box in the console to turn on annual key rotation but requires more operational overhead than SSE-S3. C - will not guarantee the questions objectives but requires little overhead. D - will guarantee the questions objective with more overhead.
upvoted 23 times
vadiminski_a
1 year, 6 months ago
I‚Äėd have to disagree on that. It states here that aws managed keys are rotated every year which is what the question asks: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html so C would be correct. However, it also states that you cannot enable or disable rotation for aws managed keys which would again point towards D
upvoted 3 times
jdr75
1 year, 2 months ago
You can't use this link https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html to said that "sse-s3" rotates every year, cos' preciselly that link refers to "KMS", that is covered with option D. That the reason the solution is B+D.
upvoted 2 times
...
...
...
LeGloupier
Highly Voted 1 year, 7 months ago
Selected Answer: BD
should be BD C could have been fine, but key rotation is activate per default on SSE-S3, and no way to deactivate it if I am not wrong
upvoted 7 times
...
lofzee
Most Recent 3 weeks, 3 days ago
Selected Answer: BD
basically what that pentium75 guy said - correct.
upvoted 1 times
...
sudohogan
1 month, 2 weeks ago
"Least operational overhead": C
upvoted 1 times
...
huangyou2003
2 months ago
Selected Answer: BD
C- you don't have control over rotation schedule for SSE-S3
upvoted 1 times
...
Tralfalgarlaw
2 months ago
Selected Answer: BD
B. Using S3 Object Lock in compliance mode ensures that the documents cannot be substituted or deleted during the specified retention period, which in this case is 5 years. This helps meet the requirement of ensuring the documents remain immutable for the duration of the contract. D. Using server-side encryption with AWS Key Management Service (AWS KMS) customer managed keys allows for encryption of the documents at rest. Additionally, configuring key rotation for the customer managed keys ensures that the encryption keys are automatically rotated every year, meeting the requirement of rotating encryption keys automatically.
upvoted 1 times
...
MehulKapadia
2 months, 1 week ago
Selected Answer: BD
Answer: BD: B: S3 Compliance Mode ensures no one can overwrite or delete the object. D: Customer-managed KMS Key: (must be enabled) automatic every 1 year Options not right: A: Governance mode allows override and delete. C: SSE-S3 customer do not have control on rotation of keys(Which is once a year in our requirement) E: As per AWS Documentation, Customer Imported keys cannot be auto rotated.
upvoted 1 times
...
scar0909
3 months, 1 week ago
Selected Answer: BD
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
upvoted 1 times
...
thewalker
4 months, 3 weeks ago
Selected Answer: BD
The best option to encrypt data at rest in Amazon S3 and rotate the keys every year is to use AWS KMS (Key Management Service). With AWS KMS: You can create a customer master key (CMK) and schedule automatic key rotation every year. This ensures the data is encrypted with a new key annually. When storing objects in S3, you can choose server-side encryption with AWS KMS (SSE-KMS). This will encrypt the data with the CMK you created. Even if the encrypted data is copied or transferred, it will remain encrypted since the keys are managed by KMS. You have full control over the keys and can define IAM policies for key access. AWS manages the encryption, key operations and auditing through integrated services like CloudTrail. It provides an end-to-end encryption solution within AWS without needing to handle encryption/decryption yourself.
upvoted 1 times
...
omarshaban
5 months ago
THIS WAS IN MY EXAM
upvoted 2 times
...
pentium75
5 months, 3 weeks ago
Selected Answer: BD
A - Governance mode allows exceptions B - Yes C - SSE-S3 rotates keys when AWS thinks is right, not when customer wants ("every year") D - Yes E - "customer provided (imported) keys" can obviously not be 'rotated automatically', the customer would have to provide/import new keys.
upvoted 6 times
celestial39
4 months, 2 weeks ago
KMS indeed rotates keys every year, but the reason why C is wrong is that the Amazon managed keys can't be configured to rotate or not. REF: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works
upvoted 1 times
...
LoXoL
5 months ago
Agree with pentium75
upvoted 2 times
...
...
Mikado211
6 months, 1 week ago
File cannot be overwitten = s3 compliance mode encryption AT REST = user-side encryption
upvoted 1 times
Mikado211
6 months, 1 week ago
so the correct answer is BD
upvoted 1 times
...
awsgeek75
5 months ago
user side encryption?
upvoted 1 times
...
...
Mikado211
6 months, 1 week ago
Selected Answer: BD
File cannot be overwitten = compliance mode Encryption AT REST = user-side encryption
upvoted 2 times
...
ale_brd_
6 months, 1 week ago
Selected Answer: BD
Question might be outdated. Amazon S3 now automatically applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the default encryption for all buckets since January 5, 2023. Additionally, it encrypts the key itself with another key that undergoes regular rotation, enhancing security. Regarding key rotation, the document specifies that the key used to encrypt the S3 Encryption Key undergoes regular rotation. However, it does not explicitly mention the rotation frequency or the ability to customize it. Therefore, considering the requirement for key rotation and the lack of explicit details about rotation frequency, options B and D would be suitable choices.
upvoted 3 times
...
Leo1688
6 months, 1 week ago
answer ce is wrong, i voted bd
upvoted 1 times
...
ansagr
6 months, 2 weeks ago
Selected Answer: BD
While SSE-S3 provides encryption at rest, it doesn’t support key rotation for the customer to manage.
upvoted 1 times
...
Ruffyit
7 months, 2 weeks ago
B. By using S3 Object Lock in compliance mode, it enforces a strict retention policy on the objects, preventing any modifications or deletions. D. By using server-side encryption with AWS KMS customer managed keys, the documents are encrypted with a customer-controlled key. Enabling key rotation ensures that a new encryption key is generated automatically at the defined rotation interval, enhancing security. Option A: S3 Object Lock in governance mode does not provide the required immutability for the documents, allowing potential modifications or deletions. Option C: Server-side encryption with SSE-S3 alone does not fulfill the requirement of encryption key rotation, which is explicitly specified. Option E: Server-side encryption with customer-provided (imported) keys (SSE-C) is not necessary when AWS KMS customer managed keys (Option D) can be used, which provide a more integrated and manageable solution.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...