For Individuals For Educators

Ace your certifications with Practice Exams and AI assistance.

Browse Exams
For Educators
Blog

Privacy Policy
Terms of Service
Cookie Policy
Support

AWS SAA Exam Prep
PMI PMP Exam Prep
CPA Exam Prep
GCP PCA Exam Prep

© 2026 TinyHive Labs. Company number 16262776.

Practice AWS Solutions Architect Professional (SAP-C02)AWS Solutions Architect Professional SAP-C02 Practice Exam 6Question 07

Medium1 markMultiple Choice

Domain 1.2: Security ControlsSecurityKMSS3

AWS SAP-C02 · Question 07 · Domain 1.2: Security Controls

A company stores highly sensitive PII in Amazon S3. They require that data is encrypted at rest using keys managed by the company. The company must be able to immediately revoke access to the keys, rendering the data unreadable. Which encryption strategy meets these requirements?

Answer options:

A.

Use Server-Side Encryption with Amazon S3 Managed Keys (SSE-S3).

B.

Use Server-Side Encryption with AWS KMS Customer Managed Keys (SSE-KMS).

C.

Use Server-Side Encryption with AWS KMS AWS Managed Keys (aws/s3).

D.

Enable S3 Object Lock in Compliance mode.

How to approach this question

Look for the encryption method that gives the customer full control over key lifecycle.

Full Answer

B.Use Server-Side Encryption with AWS KMS Customer Managed Keys (SSE-KMS).✓ Correct

SSE-KMS with Customer Managed Keys gives you full control over the key policy and lifecycle, allowing immediate revocation of access.

Common mistakes

Confusing AWS Managed Keys with Customer Managed Keys.

Question 06 All questions Question 08

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 6

75 questions · hints · full answers · grading

Sign up free Take the exam

More questions from this exam

Q01A global enterprise requires highly available hybrid connectivity between its on-premises data ce...Hard Q02An organization has 50 VPCs across two AWS Regions connected via Transit Gateways (TGW). The TGWs...Hard Q03A company uses AWS Organizations. The network team wants to share a central Transit Gateway (TGW)...Medium Q04An enterprise has on-premises data centers in the US and Europe. They want to use the AWS global ...Hard Q05A company requires that all API calls to Amazon S3 from their VPC must not traverse the public in...Medium

View all 75 questions →