IAM & S3 — SAA-C03 Practice Question
A representative AWS Solutions Architect Associate (SAA-C03) exam question on IAM & S3. Work through it below, then read why each option is right or wrong.
Short answer
The correct answer is C. Use SSE-KMS with a customer managed key (CMK) and enable CloudTrail management events.
SSE-KMS with a customer managed key (CMK) gives the security team full control over the encryption key, including key policies, grants, and the ability to enable/disable keys. CMKs automatically log all usage to CloudTrail, and AWS KMS supports automatic annual rotation for symmetric CMKs. This meets all requirements with minimal operational overhead.
The Question
A financial services company stores sensitive customer data in Amazon S3. The compliance team requires that encryption keys be managed by the company's security team, with the ability to audit key usage through AWS CloudTrail. The keys must be automatically rotated annually. A solutions architect needs to implement this with the least operational overhead. Which solution meets these requirements?
Why C is correct
SSE-KMS with a customer managed key (CMK) gives the security team full control over the encryption key, including key policies, grants, and the ability to enable/disable keys. CMKs automatically log all usage to CloudTrail, and AWS KMS supports automatic annual rotation for symmetric CMKs. This meets all requirements with minimal operational overhead.
Why the other options are wrong
SSE-S3 uses AWS-managed keys that the company has no control over. The security team cannot manage, audit, or set policies on these keys. CloudTrail data events would log S3 API calls but not encryption key usage.
AWS managed keys (aws/s3) cannot have custom key policies, and the security team cannot manage these keys directly. Key rotation happens automatically but the company has no visibility or control over the key lifecycle.
SSE-C requires the customer to provide the encryption key with every S3 request, creating significant operational overhead. Managing keys in Secrets Manager with Lambda rotation is complex and error-prone compared to KMS native rotation.
Key idea: IAM & S3
Why C is correct: SSE-KMS with a customer managed key (CMK) gives the security team full control over the encryption key, including key policies, grants, and the ability to enable/disable keys. CMKs automatically log all usage to CloudTrail, and AWS KMS supports automatic annual rotation for symmetric CMKs. This meets all requirements with minimal operational overhead. Why A is wrong: SSE-S3 uses AWS-managed keys that the company has no control over. The security team cannot manage, audit, or set policies on these keys. CloudTrail data events would log S3 API calls but not encryption key usage. Why B is wrong: AWS managed keys (aws/s3) cannot have custom key policies, and the security team cannot manage these keys directly. Key rotation happens automatically but the company has no visibility or control over the key lifecycle. Why D is wrong: SSE-C requires the customer to provide the encryption key with every S3 request, creating significant operational overhead. Managing keys in Secrets Manager with Lambda rotation is complex and error-prone compared to KMS native rotation. On the SAA-C03 exam, questions in the "Design Secure Architectures" domain test whether you can map a scenario's constraints to the right choice. Read the requirement carefully, eliminate options that violate any single constraint, and pick the one that satisfies all of them with the least operational overhead.
Ready to see how you'd score?
Take the free practice quiz and find out which AWS Solutions Architect Associate domains you need to focus on. No signup required.
Practice 5 similar questions
Same cert, same or adjacent domain. Use these after reviewing the explanation.