ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 2.3: Security ControlsSecurityEncryptionKMS

AWS SAP-C02 · Question 08 · Domain 2.3: Security Controls

An application stores sensitive PII in Amazon S3. Compliance requires that data is encrypted at rest using keys managed by the company, and the encryption keys must be rotated annually automatically. Which encryption strategy meets these requirements?

Answer options:

A.

Server-Side Encryption with Amazon S3 Managed Keys (SSE-S3).

B.

Server-Side Encryption with AWS KMS Customer Managed Keys (SSE-KMS) with automatic key rotation enabled.

C.

Client-Side Encryption using AWS KMS.

D.

Server-Side Encryption with AWS KMS AWS Managed Keys.

How to approach this question

Identify the KMS key type that allows customer control and automatic rotation.

Full Answer

B.Server-Side Encryption with AWS KMS Customer Managed Keys (SSE-KMS) with automatic key rotation enabled.✓ Correct
Server-Side Encryption with AWS KMS Customer Managed Keys (SSE-KMS) with automatic key rotation enabled.
Customer Managed Keys in KMS allow users to enable automatic rotation, which occurs every 365 days.

Common mistakes

Confusing AWS Managed Keys (rotated every 3 years) with Customer Managed Keys.
07All questions09

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 3

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01An enterprise has 100 VPCs across 5 AWS Regions. They need to establish a highly available, trans...HardQ02A company uses AWS Organizations. The CISO requires that no EC2 instances can be launched outside...MediumQ03An application uses Amazon Aurora PostgreSQL. To meet disaster recovery requirements, the databas...HardQ04A company is setting up a new multi-account AWS environment. They want to automate the creation o...MediumQ05An organization wants to allocate AWS costs to specific departments. They use multiple AWS accoun...Medium
View all 75 questions →