SAA-C03 · Question #476
SAA-C03 Question #476: Real Exam Question with Answer & Explanation
The correct answer is B: Server-side encryption with AWS KMS managed keys (SSE-KMS). SSE-KMS (Server-side encryption with AWS Key Management Service) not only encrypts data at rest but also integrates with AWS CloudTrail to provide detailed logs of key usage -- meeting the audit requirement. "SSE-KMS provides the ability to audit key usage to see who used the key
Question
A solutions architect is storing sensitive data generated by an application in Amazon S3. The solutions architect wants to encrypt the data at rest. A company policy requires an audit trail of when the AWS KMS key was used and by whom. Which encryption option will meet these requirements?
Options
- AServer-side encryption with Amazon S3 managed keys (SSE-S3)
- BServer-side encryption with AWS KMS managed keys (SSE-KMS)
- CServer-side encryption with customer-provided keys (SSE-C)
- DServer-side encryption with self-managed keys
Explanation
SSE-KMS (Server-side encryption with AWS Key Management Service) not only encrypts data at rest but also integrates with AWS CloudTrail to provide detailed logs of key usage -- meeting the audit requirement. "SSE-KMS provides the ability to audit key usage to see who used the key and when, via AWS Encryption with customer-managed or AWS-managed KMS keys Audit trails of key usage events Fine-grained access control Incorrect Options: A: SSE-S3 does not support auditing of key usage. C: SSE-C does not integrate with CloudTrail or KMS. D: Self-managed keys require external key infrastructure and custom audit logging.
Community Discussion
No community discussion yet for this question.