SAA-C03 · Question #700
SAA-C03 Question #700: Real Exam Question with Answer & Explanation
The correct answer is B: Configure server-side encryption with AWS KMS (SSE-KMS) keys. Use an S3 bucket policy to. Using SSE-KMS lets the company enforce encryption with a specific customer managed KMS key and control usage through KMS key policies and grants. An S3 bucket policy can require that every upload uses KMS encryption with the designated key, preventing users from uploading unencry
Question
A company stores sensitive financial reports in an Amazon S3 bucket. To comply with auditing requirements, the company must encrypt the data at rest. Users must not have the ability to change the encryption method or remove encryption when the users upload data. The company must be able to audit all encryption and storage actions. Which solution will meet these requirements and provide the MOST granular control?
Options
- AEnable default server-side encryption with Amazon S3 managed keys (SSE-S3) for the S3
- BConfigure server-side encryption with AWS KMS (SSE-KMS) keys. Use an S3 bucket policy to
- CUse client-side encryption before uploading the reports. Store the encryption keys in AWS
- DEnable default server-side encryption with Amazon S3 managed keys (SSE-S3). Use AWS
Explanation
Using SSE-KMS lets the company enforce encryption with a specific customer managed KMS key and control usage through KMS key policies and grants. An S3 bucket policy can require that every upload uses KMS encryption with the designated key, preventing users from uploading unencrypted objects or switching to a different encryption method. AWS CloudTrail can then audit both S3 object operations and the corresponding KMS encryption/decryption events for comprehensive tracking of encryption and storage actions.
Community Discussion
No community discussion yet for this question.