Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 150 discussion

Asymmetric keys (option C) are typically used for different use cases, such as digital signatures and key pairs, and may not be as suitable for automatic rotation in the described scenario. Imported key material (option D) means that you bring your own key material, and AWS KMS doesn't support automatic rotation for such keys. Amazon S3 managed keys (option A) are used specifically for Amazon S3 and don't support automatic rotation. so, option B is correct

B is the correct answer.

This option allows for automatic rotation of the keys, aligning with AWS best practices for key management and security. AWS KMS supports key rotation, which can be configured to occur automatically on an annual basis for customer managed keys. This ensures that data remains encrypted with a key that is periodically rotated, enhancing the security posture of the data stored in Amazon S3.

https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html Its a symmetric key rotation

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html Server-side encryption protects data at rest. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a key that it rotates regularly. Amazon S3 server-side encryption uses 256-bit Advanced Encryption Standard Galois/Counter Mode (AES-GCM) to encrypt all uploaded objects.

B. Symmetric customer managed keys with key material that is generated by AWS: This option allows the developer to create and manage their own encryption keys in AWS KMS, with AWS generating the key material. AWS KMS supports automatic rotation of customer managed keys. You can configure the key to rotate automatically once per year.

B is correct, it must use KMS

Option A (Amazon S3 managed keys) does not involve using AWS Key Management Service (AWS KMS) directly. Instead, it relies on Amazon S3 to manage the keys for server-side encryption. If the requirement is specifically to use AWS KMS for encryption, then Option A would not meet that requirement.

Only this option supports AWS KMS with the key rotation

Asymmetric keys (option C) are typically used for different use cases, such as digital signatures and key pairs, and may not be as suitable for automatic rotation in the described scenario. Imported key material (option D) means that you bring your own key material, and AWS KMS doesn't support automatic rotation for such keys. Amazon S3 managed keys (option A) are used specifically for Amazon S3 and don't support automatic rotation. so, option B is correct

A: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html

A) Amazon S3 Managed Keys https://docs.aws.amazon.com/pt_br/AmazonS3/latest/userguide/serv-side-encryption.html