Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 189 discussion

Originally answered B and C due to least operational overhead. after research its bugging me that the s3 key rotation is determined based on AWS master Key rotation which cannot guarantee the key is rotated with in a 365 day period. stated as "varies" in the documentation. also its impossible to configure this in the console. KMS-C is a tick box in the console to turn on annual key rotation but requires more operational overhead than SSE-S3. C - will not guarantee the questions objectives but requires little overhead. D - will guarantee the questions objective with more overhead.

A - Governance mode allows exceptions B - Yes C - SSE-S3 rotates keys when AWS thinks is right, not when customer wants ("every year") D - Yes E - "customer provided (imported) keys" can obviously not be 'rotated automatically', the customer would have to provide/import new keys.

SSE-S3 has the least operational overhead for encryption at rest with automatic key rotation because AWS fully manages the keys and their rotation (even if the schedule isn't user-configurable to be strictly annual). However, if the strict annual rotation is a non-negotiable requirement, then you would have to accept the slightly higher (but still relatively low) operational overhead of managing a KMS customer managed key with automatic annual rotation enabled. Option D. Given the wording of the original question prioritizing "least operational overhead," the intended answer likely leans towards the fully managed nature of SSE-S3's automatic rotation, even without a guaranteed annual cycle. If strict annual rotation was paramount, the question should have been phrased differently. IMHO

For me it is B and C. C because it does everything automatically and this is the requirement. (with LEAST operational overhead)

S3 Object Lock can help prevent Amazon S3 objects from being deleted or overwritten for a fixed amount of time or indefinitely. In compliance mode, a protected object version can't be overwritten or deleted by any user, including the root user in your AWS account.

BD for sure

basically what that pentium75 guy said - correct.

"Least operational overhead": C

C- you don't have control over rotation schedule for SSE-S3

B. Using S3 Object Lock in compliance mode ensures that the documents cannot be substituted or deleted during the specified retention period, which in this case is 5 years. This helps meet the requirement of ensuring the documents remain immutable for the duration of the contract. D. Using server-side encryption with AWS Key Management Service (AWS KMS) customer managed keys allows for encryption of the documents at rest. Additionally, configuring key rotation for the customer managed keys ensures that the encryption keys are automatically rotated every year, meeting the requirement of rotating encryption keys automatically.

Answer: BD: B: S3 Compliance Mode ensures no one can overwrite or delete the object. D: Customer-managed KMS Key: (must be enabled) automatic every 1 year Options not right: A: Governance mode allows override and delete. C: SSE-S3 customer do not have control on rotation of keys(Which is once a year in our requirement) E: As per AWS Documentation, Customer Imported keys cannot be auto rotated.

https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

The best option to encrypt data at rest in Amazon S3 and rotate the keys every year is to use AWS KMS (Key Management Service). With AWS KMS: You can create a customer master key (CMK) and schedule automatic key rotation every year. This ensures the data is encrypted with a new key annually. When storing objects in S3, you can choose server-side encryption with AWS KMS (SSE-KMS). This will encrypt the data with the CMK you created. Even if the encrypted data is copied or transferred, it will remain encrypted since the keys are managed by KMS. You have full control over the keys and can define IAM policies for key access. AWS manages the encryption, key operations and auditing through integrated services like CloudTrail. It provides an end-to-end encryption solution within AWS without needing to handle encryption/decryption yourself.

THIS WAS IN MY EXAM

File cannot be overwitten = s3 compliance mode encryption AT REST = user-side encryption

File cannot be overwitten = compliance mode Encryption AT REST = user-side encryption

Question might be outdated. Amazon S3 now automatically applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the default encryption for all buckets since January 5, 2023. Additionally, it encrypts the key itself with another key that undergoes regular rotation, enhancing security. Regarding key rotation, the document specifies that the key used to encrypt the S3 Encryption Key undergoes regular rotation. However, it does not explicitly mention the rotation frequency or the ability to customize it. Therefore, considering the requirement for key rotation and the lack of explicit details about rotation frequency, options B and D would be suitable choices.