DVA-C02 · Question #203
A developer is storing sensitive data generated by an application in Amazon S3. The developer wants to encrypt the data at rest. A company policy requires an audit trail of when the AWS Key Management
The correct answer is B. Server-side encryption with AWS KMS managed keys (SSE-KMS). SSE-KMS is correct because it encrypts data using AWS KMS keys while automatically generating CloudTrail log entries every time the key is used, capturing who made the request, when, and from where - satisfying the audit trail requirement directly. SSE-S3 (A) uses keys managed en
Question
A developer is storing sensitive data generated by an application in Amazon S3. The developer wants to encrypt the data at rest. A company policy requires an audit trail of when the AWS Key Management Service (AWS KMS) key was used and by whom. Which encryption option will meet these requirements?
Options
- AServer-side encryption with Amazon S3 managed keys (SSE-S3)
- BServer-side encryption with AWS KMS managed keys (SSE-KMS)
- CServer-side encryption with customer-provided keys (SSE-C)
- DServer-side encryption with self-managed keys
How the community answered
(39 responses)- A8% (3)
- B87% (34)
- C3% (1)
- D3% (1)
Explanation
SSE-KMS is correct because it encrypts data using AWS KMS keys while automatically generating CloudTrail log entries every time the key is used, capturing who made the request, when, and from where - satisfying the audit trail requirement directly.
SSE-S3 (A) uses keys managed entirely by S3 itself; while encryption happens, there is no per-request KMS audit trail because KMS is never invoked. SSE-C (C) requires you to supply the key on every request, so AWS never stores it and KMS is not involved - no audit trail. Self-managed keys (D) means AWS has no visibility into key usage at all, making a centralized audit trail impossible without building your own logging infrastructure.
Memory tip: Whenever you see "audit trail" + "who used the key" in an AWS exam question, think KMS = CloudTrail. The two are inseparable - every KMS API call is logged automatically in CloudTrail, which is exactly what auditors want.
Community Discussion
No community discussion yet for this question.