Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 942 discussion

SSE keys provided usage fee application and there is no monthly charges, hence its a correct option. D is highly cost option with monthly and usage fee. which is incorrect.

With all due respect, I think option "C" is poorly written, and it reflects on the lack of consensus with this one. A "server-side encryption with customer managed AWS KMS keys" (option "D") is nothing but an implementation of a "server-side encryption with AWS KMS keys" (option "C"), and both are SSE-KMS. What I think op tried to express with option C is: "Use server-side encryption with AWS-MANAGED AWS KMS keys (SSE-KMS). If my guess is correct, option "C" is the right answer, according to the table shown in this link: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk Option C and Option D satisfied all the technical requirements of the company, but option C is $1/month cheaper than option D

AWS-managed keys are automatically rotated every year (approximately 365 days) by AWS. Key rotation cannot be enabled or disabled for AWS-managed keys, ensuring compliance with the rotation requirement. When AWS KMS rotates the key material for an AWS-managed key, it writes: A KMS CMK Rotation event to Amazon EventBridge, A RotateKey event to AWS CloudTrail. This allows the company to track key rotation events for auditing purposes. Cost Minimization:AWS-managed keys are free to use (no additional cost beyond the base AWS KMS pricing for API calls). This helps minimize costs. https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

"Automatically" rotate, then make it handled by AWS service, not by customer -> C, not D

"automatically rotate the encryption key" => C or D (because of KMS), then "able to track key rotation" => Just D.

Option C: Incorrect. Though server-side encryption with AWS KMS keys (SSE-KMS) would allow AWS to manage keys and enable logging via AWS CloudTrail, this option uses AWS-managed keys instead of customer-managed keys, limiting control over key rotations. Additionally, there can be more costs involved in using AWS-managed KMS keys compared to the customer managing their own. Option D: Correct. Using server-side encryption with customer-managed AWS KMS keys allows the company to have full control over the encryption keys, including managing and ensuring automatic rotation every year. Moreover, AWS CloudTrail can be employed to log events associated with AWS KMS, enabling the tracking of when keys are rotated. This option balances cost-effectiveness with the operational requirements specified, as it provides the necessary control without unnecessary expenses from more specialized AWS services.

I will choose Option D for the following reasons: #1 Automatic key rotation: AWS KMS allows you to set up automatic key rotation for customer managed keys, which fulfills the requirement to rotate encryption keys yearly. # 2 CloudTrail tracking: All KMS key operations are logged in CloudTrail, enabling you to track key rotation activity. #3 Lowest cost: While using customer-provided keys (SSE-C) might seem cost-effective at first glance, managing your own keys adds complexity and can be more expensive in the long run. #$ Compliance with security policies: Using customer managed KMS keys ensures that the company has full control over the encryption keys, meeting the stringent security requirements

D auto-rotation feature > customer managed key

D. customer needs to see the logs from Cloudtrail!

Answer is C. There is no monthly fee for AWS managed keys https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk

Customer managed key: Monthly fee (pro-rated hourly) + Per-use fee + rotation and cloudtrail AWS managed key: No monthly fee + Per-use fee (some AWS services pay this fee for you)+ rotation and cloudtrail

D gives you control, allows you to customise for example rotation policies to suit your compliance needs.

Answer is D