ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 2.3: Security ControlsSecurityKMSEncryption

AWS SAP-C02 · Question 23 · Domain 2.3: Security Controls

A financial services company is building a new application on AWS. They must ensure that all data at rest is encrypted using keys managed by the company (Customer Managed Keys). The security team requires that the encryption keys are automatically rotated every year, and that specific IAM roles can only use the keys for encryption, not decryption. Which combination of actions should the Architect take? (Select THREE)

Answer options:

A.

Create an AWS KMS Customer Managed Key (CMK) with automatic key rotation enabled.

B.

Define a key policy that grants the kms:Encrypt action to the specific IAM roles.

C.

Define a key policy that explicitly denies the kms:Decrypt action for the specific IAM roles.

D.

Use AWS CloudHSM to generate the keys and configure automatic annual rotation.

E.

Create an AWS Managed Key and enable automatic rotation.

F.

Use AWS Secrets Manager to store the KMS keys and configure a Lambda function for rotation.

How to approach this question

Select the KMS features that support custom rotation and granular permissions.

Full Answer

Create an AWS KMS Customer Managed Key (CMK) with automatic key rotation enabled., Define a key policy that grants the kms:Encrypt action to the specific IAM roles., Define a key policy that explicitly denies the kms:Decrypt action for the specific IAM roles.
AWS Key Management Service (KMS) allows you to create Customer Managed Keys (CMKs) and enable automatic annual rotation. To enforce strict separation of duties (encryption vs. decryption), you configure the KMS Key Policy to explicitly grant `kms:Encrypt` and explicitly deny `kms:Decrypt` for the specified IAM roles.

Common mistakes

Selecting AWS Managed Keys (rotated every 3 years) or CloudHSM (no automatic rotation).
22All questions24

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its AWS network architecture across 50 AWS accounts and 3 AWS ...HardQ02A company uses AWS Organizations to manage multiple accounts. The security team mandates that no ...MediumQ03A financial institution requires a disaster recovery strategy for its critical trading applicatio...HardQ04An enterprise is setting up a new multi-account AWS environment using AWS Control Tower. They nee...MediumQ05A company has a complex AWS environment with hundreds of linked accounts under AWS Organizations....Hard
View all 75 questions →