AWSDesign Secure Architectures

IAM & S3 — SAA-C03 Practice Question

A representative AWS Solutions Architect Associate (SAA-C03) exam question on IAM & S3. Work through it below, then read why each option is right or wrong.

Short answer

The correct answer is C. Use SSE-KMS with a customer managed key (CMK) and enable CloudTrail management events.

SSE-KMS with a customer managed key (CMK) gives the security team full control over the encryption key, including key policies, grants, and the ability to enable/disable keys. CMKs automatically log all usage to CloudTrail, and AWS KMS supports automatic annual rotation for symmetric CMKs. This meets all requirements with minimal operational overhead.

The Question

A financial services company stores sensitive customer data in Amazon S3. The compliance team requires that encryption keys be managed by the company's security team, with the ability to audit key usage through AWS CloudTrail. The keys must be automatically rotated annually. A solutions architect needs to implement this with the least operational overhead. Which solution meets these requirements?

AUse SSE-S3 encryption and enable CloudTrail data events for the S3 bucket
BUse SSE-KMS with an AWS managed key (aws/s3) and enable CloudTrail management events
CUse SSE-KMS with a customer managed key (CMK) and enable CloudTrail management eventsCorrect
DUse SSE-C with keys stored in AWS Secrets Manager and a Lambda function for rotation

Why C is correct

SSE-KMS with a customer managed key (CMK) gives the security team full control over the encryption key, including key policies, grants, and the ability to enable/disable keys. CMKs automatically log all usage to CloudTrail, and AWS KMS supports automatic annual rotation for symmetric CMKs. This meets all requirements with minimal operational overhead.

Why the other options are wrong

Option A: Use SSE-S3 encryption and enable CloudTrail data events for the S3 bucket

SSE-S3 uses AWS-managed keys that the company has no control over. The security team cannot manage, audit, or set policies on these keys. CloudTrail data events would log S3 API calls but not encryption key usage.

Option B: Use SSE-KMS with an AWS managed key (aws/s3) and enable CloudTrail management events

AWS managed keys (aws/s3) cannot have custom key policies, and the security team cannot manage these keys directly. Key rotation happens automatically but the company has no visibility or control over the key lifecycle.

Option D: Use SSE-C with keys stored in AWS Secrets Manager and a Lambda function for rotation

SSE-C requires the customer to provide the encryption key with every S3 request, creating significant operational overhead. Managing keys in Secrets Manager with Lambda rotation is complex and error-prone compared to KMS native rotation.

Key idea: IAM & S3

Why C is correct: SSE-KMS with a customer managed key (CMK) gives the security team full control over the encryption key, including key policies, grants, and the ability to enable/disable keys. CMKs automatically log all usage to CloudTrail, and AWS KMS supports automatic annual rotation for symmetric CMKs. This meets all requirements with minimal operational overhead. Why A is wrong: SSE-S3 uses AWS-managed keys that the company has no control over. The security team cannot manage, audit, or set policies on these keys. CloudTrail data events would log S3 API calls but not encryption key usage. Why B is wrong: AWS managed keys (aws/s3) cannot have custom key policies, and the security team cannot manage these keys directly. Key rotation happens automatically but the company has no visibility or control over the key lifecycle. Why D is wrong: SSE-C requires the customer to provide the encryption key with every S3 request, creating significant operational overhead. Managing keys in Secrets Manager with Lambda rotation is complex and error-prone compared to KMS native rotation. On the SAA-C03 exam, questions in the "Design Secure Architectures" domain test whether you can map a scenario's constraints to the right choice. Read the requirement carefully, eliminate options that violate any single constraint, and pick the one that satisfies all of them with the least operational overhead.

Ready to see how you'd score?

Take the free practice quiz and find out which AWS Solutions Architect Associate domains you need to focus on. No signup required.

Practice 5 similar questions

Same cert, same or adjacent domain. Use these after reviewing the explanation.

Related AWS Solutions Architect Associate Practice Questions