Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 202 discussion

KEYWORD: LEAST operational overhead To encrypt the data when it is stored in the S3 bucket and automatically rotate the encryption key every year with the least operational overhead, the company can use server-side encryption with Amazon S3-managed encryption keys (SSE-S3). SSE-S3 uses keys that are managed by Amazon S3, and the built-in key rotation behavior of SSE-S3 encryption keys automatically rotates the keys every year. To meet the requirements of the company, the solutions architect can move the data to the S3 bucket and enable server-side encryption with SSE-S3. This solution requires no additional configuration or maintenance and has the least operational overhead. Hence, the correct answer is; Option A. Move the data to the S3 bucket. Use server-side encryption with Amazon S3-managed encryption keys (SSE-S3). Use the built-in key rotation behavior of SSE-S3 encryption keys.

SSE-S3 - is free and uses AWS owned CMKs (CMK = Customer Master Key). The encryption key is owned and managed by AWS, and is shared among many accounts. Its rotation is automatic with time that varies as shown in the table here. The time is not explicitly defined. SSE-KMS - has two flavors: AWS managed CMK. This is free CMK generated only for your account. You can only view it policies and audit usage, but not manage it. Rotation is automatic - once per 1095 days (3 years), Customer managed CMK. This uses your own key that you create and can manage. Rotation is not enabled by default. But if you enable it, it will be automatically rotated every 1 year. This variant can also use an imported key material by you. If you create such key with an imported material, there is no automated rotation. Only manual rotation. SSE-C - customer provided key. The encryption key is fully managed by you outside of AWS. AWS will not rotate it.

Why it is not B - we can not rely on implicit period of rotation for S3 kry.

Amazon S3 managed encryption keys (SSE-S3), Amazon S3 handles the key rotation automatically and regularly. Key points regarding the rotation schedule: SSE-S3 uses a unique encryption key for each object. These individual object keys are themselves encrypted with a root key. Amazon S3 regularly rotates this root key as an additional security measure. The exact rotation schedule for the root key is not publicly disclosed for security reasons. Hence Answer is B

The answer should be B in this case cause we exactly know that AWS Managed (SSE-KMS) is automatically rotated annually. AWS does not disclose the rotation schedule of SSE-S3 keys

SSE-S3 is not rotate keys every year

It can be done with A & B, but with A, SSE-S3 there are no charges.

AWS does not specify the exact rotation frequency for SSE-S3 root keys, AWS Managed Keys are rotated annually, and Customer Managed Keys offer customizable rotation options.

Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance. The automatic encryption status for S3 bucket default encryption configuration and for new object uploads is available in AWS CloudTrail logs, S3 Inventory, S3 Storage Lens, the Amazon S3 console, and as an additional Amazon S3 API response header in the AWS Command Line Interface and AWS SDKs.

A is incorrect because SSE-S3 rotates keys when AWS thinks is right, not when customer wants ("every year") B is correct because AWS KMS customer managed keys allow automatic key rotation every year, meeting the requirement while minimizing operational overhead.

Encryption in S3: S3 supports encryption at rest using Server-Side Encryption (SSE). Key Rotation: SSE-S3 (Option A): Uses Amazon S3-managed encryption keys, but these keys do not provide configurable automatic rotation or fine-grained control over key management. Customer Managed Keys in AWS KMS (Option B): Allow full control, including automatic key rotation every year, meeting the requirement with low operational overhead. Manually rotating keys (Option C) adds operational overhead and is unnecessary since AWS KMS supports automatic rotation. Client-Side Encryption (Option D) increases operational complexity unnecessarily.

B seems correct option as AWS does not specify the keys rotation period for SSE-S3. So, it cannot be A.

AWS Key Management Service (KMS) customer managed keys support automatic annual rotation. By setting the S3 bucket's default encryption to use this KMS key, data is encrypted automatically when stored. Meets both the encryption and rotation requirements with low operational overhead.

Why Option B is Correct: AWS KMS Customer Managed Keys (CMKs): Customer managed KMS keys allow you to control encryption and enable automatic key rotation. Key rotation is handled seamlessly by AWS KMS, with no manual intervention required. Default S3 Encryption Behavior: Setting the S3 bucket’s default encryption to use the KMS CMK ensures all objects are automatically encrypted as they are uploaded. Operational Overhead: AWS automatically rotates the keys annually without impacting existing encrypted data, reducing operational overhead.

Agree with A - Least operational overhead is the word we should be looking for.

https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually AWS owned keys You cannot enable or disable key rotation for AWS owned keys. The key rotation strategy for an AWS owned key is determined by the AWS service that creates and manages the key. For details, see the Encryption at Rest topic in the user guide or developer guide for the service.

SSE-S3 does not support automatic key rotation. https://repost.aws/questions/QUES_1VN01TU-eRSO3LXergA/s3-managed-key-sse-s3-rotation-period