ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 825 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 825
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company is planning to migrate data to an Amazon S3 bucket. The data must be encrypted at rest within the S3 bucket. The encryption key must be rotated automatically every year.

Which solution will meet these requirements with the LEAST operational overhead?

  • A. Migrate the data to the S3 bucket. Use server-side encryption with Amazon S3 managed keys (SSE-S3). Use the built-in key rotation behavior of SSE-S3 encryption keys.
  • B. Create an AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Set the S3 bucket's default encryption behavior to use the customer managed KMS key. Migrate the data to the S3 bucket.
  • C. Create an AWS Key Management Service (AWS KMS) customer managed key. Set the S3 bucket's default encryption behavior to use the customer managed KMS key. Migrate the data to the S3 bucket. Manually rotate the KMS key every year.
  • D. Use customer key material to encrypt the data. Migrate the data to the S3 bucket. Create an AWS Key Management Service (AWS KMS) key without key material. Import the customer key material into the KMS key. Enable automatic key rotation.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by haci at March 21, 2024, 8:21 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
EllenLiu
3 months, 1 week ago
Selected Answer: B
https://repost.aws/questions/QUES_1VN01TU-eRSO3LXergA/s3-managed-key-sse-s3-rotation-period
upvoted 2 times
...
JoeTromundo
6 months ago
Selected Answer: B
The anwser can't be A. In addition to other justifications written here in the comments, if the data is copied before enabling encryption, this data will not be encrypted.
upvoted 3 times
...
Johnoppong101
7 months, 2 weeks ago
Selected Answer: B
B is the Answer
upvoted 1 times
...
n999
8 months ago
Selected Answer: A
It's said should be encrypted within S3 not before so A its correct
upvoted 2 times
Johnoppong101
7 months, 2 weeks ago
Me: Does SSE-S3 allow custom key rotation scheduling? Gemini: No, SSE-S3 does not allow for custom key rotation scheduling. Gemini: If you require more granular control over key rotation, you should consider using Server-Side Encryption with AWS KMS (SSE-KMS)
upvoted 1 times
...
...
Scheldon
9 months, 3 weeks ago
Selected Answer: B
AnswerB Looks like key rotation is only possible when KMS is in use. If we will use AWS managed keys Rotation is forced and if we will not provide any specifications regarding rotation time for key, KMS will rotate key every 365days. https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt
upvoted 3 times
...
sheilawu
10 months ago
Selected Answer: B
If you see rotation, SEE-SE is out
upvoted 3 times
...
f07ed8f
10 months, 1 week ago
Selected Answer: B
SSE-S3 does not rotate the key EVERY YEAR and it is not fit the requirement
upvoted 3 times
...
Linuslin
10 months, 2 weeks ago
Selected Answer: A
This question is flawed. SSE-S3 is not SSE-KMS, so it will not automatic rotation every year, only KMS will. (check link below) But the question says "LEAST operational overhead", I think it want us to choose SSE-S3, so I will pick option A.
upvoted 2 times
Linuslin
10 months, 2 weeks ago
SSE-S3 is the simplest method to use as encryption keys are handled and managed by AWS. But is not what we're saying about "AWS managed key", so it will not automatic rotation every year. https://catalog.us-east-1.prod.workshops.aws/workshops/aad9ff1e-b607-45bc-893f-121ea5224f24/en-US/s3/serverside/sses3 "AWS managed keys" are "KMS keys" in your account. And will (required) automatic rotation every year. https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt
upvoted 2 times
FlyingHawk
2 months ago
You are correct. SSE-S3 is not related to AWS KMS or AWS managed keys.
upvoted 1 times
...
EdricHoang
8 months ago
there are several pages (not the official aws page) said its 365 days. But, the official page does not mention about the rotation period is 365 days
upvoted 1 times
...
...
Linuslin
10 months, 2 weeks ago
SSE-KMS is similar to SSE-S3 but comes with some additional benefits over SSE-S3. And SSE-KMS is "AWS managed key." So it will (required) automatic rotation every year. https://catalog.us-east-1.prod.workshops.aws/workshops/aad9ff1e-b607-45bc-893f-121ea5224f24/en-US/s3/serverside/ssekms Difference between AWS S3 Bucket Encryption SSE-C , SSE-S3, SSE-KMS. https://awstip.com/5-minutes-to-aws-s3-bucket-encryption-sse-c-sse-s3-sse-kms-e2fb07b05cb3
upvoted 1 times
...
...
TwinSpark
10 months, 2 weeks ago
Selected Answer: B
I will go for B. A it's somehow wrong for coupl of reason: 1- Encription must be specified before to transfer the data (even if from 1/23 it's automatically for every bucket, so actualy make no sense to specify it) 2- SSE-S3 keys are regurarly rotated but aws do not specify when (https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html ) IMO if need to be compliance with rotation period better use Costumer managed key as stated from aws support in 01/2024 https://repost.aws/questions/QUES_1VN01TU-eRSO3LXergA/s3-managed-key-sse-s3-rotation-period
upvoted 2 times
...
bujuman
10 months, 2 weeks ago
Selected Answer: A
Considering the statement "the LEAST operational overhead" we could go for option A due to the following AWS managed keys capabilities https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
upvoted 1 times
...
f04dc74
11 months ago
Option A
upvoted 1 times
...
sandordini
11 months, 1 week ago
Selected Answer: A
From May 2022 the scheduled rotation is 1 year (SSE-S3)
upvoted 2 times
...
3b196fc
11 months, 2 weeks ago
A is wrong because you need to set the encryp options before send the data to S3.
upvoted 1 times
...
camps
1 year ago
It's B.
upvoted 1 times
...
TruthWS
1 year ago
A is correct because SSE-S3 help decrease the management
upvoted 2 times
...
Yushib
1 year ago
Selected Answer: B
B is the right one
upvoted 2 times
...
haci
1 year ago
Same with Question #202, I'll go with B but not sure
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago