A financial company requires that all data stored in Amazon S3 is encrypted at rest using keys managed by the company. The keys must be rotated automatically every year. Which TWO actions should the solutions architect take? (Select TWO.)

Answer options:

Use SSE-S3 (Amazon S3 managed keys).

Create a customer managed KMS key.

Use an AWS managed KMS key (aws/s3).

Enable automatic key rotation for the KMS key.

Store the encryption keys in AWS Secrets Manager and configure a Lambda function for rotation.

How to approach this question

Identify the need for customer control over keys and the native KMS rotation feature.

Full Answer

Customer managed KMS keys allow you to enable automatic key rotation, which generates new cryptographic material every year (365 days) while keeping the same key ID.

Common mistakes

Selecting AWS managed keys, which rotate every 3 years, not 1 year.

Question 05 All questions Question 07

Practice the full AWS SAA-C03 Practice Exam 5

65 questions · hints · full answers · grading

More questions from this exam

Q01A company needs to grant an external auditor read-only access to specific AWS resources. The audi...Easy Q02An application running on EC2 instances needs to access objects in an S3 bucket. The security tea...Medium Q03A company is designing a VPC for a multi-tier web application. They need to block specific malici...Medium Q04A large enterprise uses AWS Organizations to manage multiple accounts. The security team wants to...Hard Q05A company hosts a web application on an Application Load Balancer (ALB). They are experiencing SQ...Medium

View all 65 questions →