Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 202 discussion

KEYWORD: LEAST operational overhead To encrypt the data when it is stored in the S3 bucket and automatically rotate the encryption key every year with the least operational overhead, the company can use server-side encryption with Amazon S3-managed encryption keys (SSE-S3). SSE-S3 uses keys that are managed by Amazon S3, and the built-in key rotation behavior of SSE-S3 encryption keys automatically rotates the keys every year. To meet the requirements of the company, the solutions architect can move the data to the S3 bucket and enable server-side encryption with SSE-S3. This solution requires no additional configuration or maintenance and has the least operational overhead. Hence, the correct answer is; Option A. Move the data to the S3 bucket. Use server-side encryption with Amazon S3-managed encryption keys (SSE-S3). Use the built-in key rotation behavior of SSE-S3 encryption keys.

SSE-S3 - is free and uses AWS owned CMKs (CMK = Customer Master Key). The encryption key is owned and managed by AWS, and is shared among many accounts. Its rotation is automatic with time that varies as shown in the table here. The time is not explicitly defined. SSE-KMS - has two flavors: AWS managed CMK. This is free CMK generated only for your account. You can only view it policies and audit usage, but not manage it. Rotation is automatic - once per 1095 days (3 years), Customer managed CMK. This uses your own key that you create and can manage. Rotation is not enabled by default. But if you enable it, it will be automatically rotated every 1 year. This variant can also use an imported key material by you. If you create such key with an imported material, there is no automated rotation. Only manual rotation. SSE-C - customer provided key. The encryption key is fully managed by you outside of AWS. AWS will not rotate it.

nowhere in question they mentioned about control over keys or customization of keys, so choosing option B shouldnt be considered. In Option A SSE-S3, AWS manages everything . Primary concern raised in question is operational overhead with autorotation of keys.

SSE-S3 is powerful for data encryption at rest guys. Each single object is encrypted with a different key. SSE-S3 automatically rotates all keys. However, SSE-S3 does not log any information concerning key encryption or rotation.

As far as I know, SSE-S3 encryption uses keys which we can't view, nor do we know the rotation period of them. SSE-S3 and AWS-Managed KMS Keys are not the same: AWS Managed KMS Keys are rotated every 365 days AWS Customer-Managed Keys have optional rotation SSE-S3 Encryption is not either of them, thus A should be eliminated. Since we do not have an option here to use an AWS-managed KMS key, the only valid option is to use a customer-managed key and enable key rotation.

All options except A suggesting cusomer key, why customer key would be needed here.

B for sure

AWS can change rotation period anytime but Customer says 'must be automatically rotated' hence answer should be B in this case.

Interestingly the answer for this used to be B, and now its A. After May 2022 AWS changed the rotation schedule for SSE-S3. See documentation here: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-aws-managed-keys . AWS managed keys AWS KMS automatically rotates AWS managed keys every year (approximately 365 days). You cannot enable or disable key rotation for AWS managed keys. In May 2022, AWS KMS changed the rotation schedule for AWS managed keys from every three years (approximately 1,095 days) to every year (approximately 365 days). New AWS managed keys are automatically rotated one year after they are created, and approximately every year thereafter. Existing AWS managed keys are automatically rotated one year after their most recent rotation, and every year thereafter. ---- If this comes up in the exam, remember ! you can use SSE-S3 for yearly rotation now.

SSE-KMS - Customer managed keys - Automatic rotation - Guarantees yearly key rotation (unlike SSE-S3 where you do not have control on key rotation) and also meets the least operational overhead.

Option A: Utilizes server-side encryption with Amazon S3 managed encryption keys (SSE-S3), which is the simplest and most straightforward way to encrypt data stored in Amazon S3. SSE-S3 automatically handles key rotation, eliminating the need for manual key rotation. This solution provides encryption for the data in the S3 bucket without requiring any additional setup or management. Option B: Involves setting up a customer managed KMS key, enabling automatic key rotation, and then setting the S3 bucket's default encryption behavior to use the customer managed KMS key. While this option also provides encryption and automatic key rotation, it involves more setup and management compared to SSE-S3.

It's A. Because it's said that they need with LEAST operation overhead and S3 Managed Keys can rotate automatically every year without needing the user intervention. For the Customer Managed Keys, you need to do some configuration for that.

Both A and B are viable answers but A with SSE-S3 is least operational overhead. B will require customer to manage the key. ***HOWEVER*** note that SSE-S£ managed keys are rotated periodically so there is no user control on limiting the rotation to "once a year". For exam, probably read the question with full context and hope there is more detail in the actual exam!

Please see JayBee response below. Make sense.

Now "all AWS managed keys are automatically rotated every year. You cannot change this rotation schedule". However, if you insist that option A also specifies the order of steps then it would be wrong, you'd need to enable encryption BEFORE moving the data to the bucket. But per my understanding of English, the order is not specified, it's just a combination of things you do. Otherwise B would be the correct answer, but it has more operational overhead than A, at least now. Probably the question is old.

nowhere in this documentation states how often the keys are rotated, and only the key that encrypts the S3 encryption key actually gets to rotate. https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html

I'm voting B Each object in s3 using SSE-S3 uses separate key, this key is encrypted using another master key that is regularly rotated but AWS doesn't share how often it happens. With SSE-KMS you have option to tick: "Automatically rotate this KMS key every year.".