Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 942 discussion

SSE keys provided usage fee application and there is no monthly charges, hence its a correct option. D is highly cost option with monthly and usage fee. which is incorrect.

"Automatically" rotate, then make it handled by AWS service, not by customer -> C, not D

"automatically rotate the encryption key" => C or D (because of KMS), then "able to track key rotation" => Just D.

Option C: Incorrect. Though server-side encryption with AWS KMS keys (SSE-KMS) would allow AWS to manage keys and enable logging via AWS CloudTrail, this option uses AWS-managed keys instead of customer-managed keys, limiting control over key rotations. Additionally, there can be more costs involved in using AWS-managed KMS keys compared to the customer managing their own. Option D: Correct. Using server-side encryption with customer-managed AWS KMS keys allows the company to have full control over the encryption keys, including managing and ensuring automatic rotation every year. Moreover, AWS CloudTrail can be employed to log events associated with AWS KMS, enabling the tracking of when keys are rotated. This option balances cost-effectiveness with the operational requirements specified, as it provides the necessary control without unnecessary expenses from more specialized AWS services.

I will choose Option D for the following reasons: #1 Automatic key rotation: AWS KMS allows you to set up automatic key rotation for customer managed keys, which fulfills the requirement to rotate encryption keys yearly. # 2 CloudTrail tracking: All KMS key operations are logged in CloudTrail, enabling you to track key rotation activity. #3 Lowest cost: While using customer-provided keys (SSE-C) might seem cost-effective at first glance, managing your own keys adds complexity and can be more expensive in the long run. #$ Compliance with security policies: Using customer managed KMS keys ensures that the company has full control over the encryption keys, meeting the stringent security requirements

D auto-rotation feature > customer managed key

D. customer needs to see the logs from Cloudtrail!

Answer is C. There is no monthly fee for AWS managed keys https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk

Customer managed key: Monthly fee (pro-rated hourly) + Per-use fee + rotation and cloudtrail AWS managed key: No monthly fee + Per-use fee (some AWS services pay this fee for you)+ rotation and cloudtrail

D gives you control, allows you to customise for example rotation policies to suit your compliance needs.

Answer is D