Topic 1 Question 825
A company is planning to migrate data to an Amazon S3 bucket. The data must be encrypted at rest within the S3 bucket. The encryption key must be rotated automatically every year.
Which solution will meet these requirements with the LEAST operational overhead?
Migrate the data to the S3 bucket. Use server-side encryption with Amazon S3 managed keys (SSE-S3). Use the built-in key rotation behavior of SSE-S3 encryption keys.
Create an AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Set the S3 bucket's default encryption behavior to use the customer managed KMS key. Migrate the data to the S3 bucket.
Create an AWS Key Management Service (AWS KMS) customer managed key. Set the S3 bucket's default encryption behavior to use the customer managed KMS key. Migrate the data to the S3 bucket. Manually rotate the KMS key every year.
Use customer key material to encrypt the data. Migrate the data to the S3 bucket. Create an AWS Key Management Service (AWS KMS) key without key material. Import the customer key material into the KMS key. Enable automatic key rotation.
ユーザの投票
コメント(17)
- 正解だと思う選択肢: B
SSE-S3 does not rotate the key EVERY YEAR and it is not fit the requirement
👍 3f07ed8f2024/05/21 - 正解だと思う選択肢: B
If you see rotation, SEE-SE is out
👍 3sheilawu2024/05/28 - 正解だと思う選択肢: B
AnswerB
Looks like key rotation is only possible when KMS is in use. If we will use AWS managed keys Rotation is forced and if we will not provide any specifications regarding rotation time for key, KMS will rotate key every 365days.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt
👍 3Scheldon2024/06/10
シャッフルモード