ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 1.2: Security ControlsSecurityKMSS3

AWS SAP-C02 · Question 07 · Domain 1.2: Security Controls

A company stores highly sensitive PII in Amazon S3. They require that data is encrypted at rest using keys managed by the company. The company must be able to immediately revoke access to the keys, rendering the data unreadable. Which encryption strategy meets these requirements?

Answer options:

A.

Use Server-Side Encryption with Amazon S3 Managed Keys (SSE-S3).

B.

Use Server-Side Encryption with AWS KMS Customer Managed Keys (SSE-KMS).

C.

Use Server-Side Encryption with AWS KMS AWS Managed Keys (aws/s3).

D.

Enable S3 Object Lock in Compliance mode.

How to approach this question

Look for the encryption method that gives the customer full control over key lifecycle.

Full Answer

B.Use Server-Side Encryption with AWS KMS Customer Managed Keys (SSE-KMS).✓ Correct
Use Server-Side Encryption with AWS KMS Customer Managed Keys (SSE-KMS).
SSE-KMS with Customer Managed Keys gives you full control over the key policy and lifecycle, allowing immediate revocation of access.

Common mistakes

Confusing AWS Managed Keys with Customer Managed Keys.
06All questions08

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 6

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise requires highly available hybrid connectivity between its on-premises data ce...HardQ02An organization has 50 VPCs across two AWS Regions connected via Transit Gateways (TGW). The TGWs...HardQ03A company uses AWS Organizations. The network team wants to share a central Transit Gateway (TGW)...MediumQ04An enterprise has on-premises data centers in the US and Europe. They want to use the AWS global ...HardQ05A company requires that all API calls to Amazon S3 from their VPC must not traverse the public in...Medium
View all 75 questions →