A company is planning to move its data to an Amazon S3 bucket. The data must be encrypted when it is stored in the S3 bucket. Additionally, the encryption key must be automatically rotated every year.
Which solution will meet these requirements with the LEAST operational overhead?
To meet the requirement of encrypting data when it is stored in the S3 bucket and having the encryption key automatically rotated every year with the least operational overhead, the best solution is to use server-side encryption with Amazon S3-managed encryption keys (SSE-S3). This approach requires no additional configuration or maintenance as the keys are managed and rotated automatically by AWS, minimizing the operational effort. AWS now guarantees that these keys are rotated on a yearly basis, making SSE-S3 the optimal choice for low operational overhead while ensuring annual key rotation.
KEYWORD: LEAST operational overhead To encrypt the data when it is stored in the S3 bucket and automatically rotate the encryption key every year with the least operational overhead, the company can use server-side encryption with Amazon S3-managed encryption keys (SSE-S3). SSE-S3 uses keys that are managed by Amazon S3, and the built-in key rotation behavior of SSE-S3 encryption keys automatically rotates the keys every year. To meet the requirements of the company, the solutions architect can move the data to the S3 bucket and enable server-side encryption with SSE-S3. This solution requires no additional configuration or maintenance and has the least operational overhead. Hence, the correct answer is; Option A. Move the data to the S3 bucket. Use server-side encryption with Amazon S3-managed encryption keys (SSE-S3). Use the built-in key rotation behavior of SSE-S3 encryption keys.
Option B involves using a customer-managed AWS KMS key and enabling automatic key rotation, but this requires the company to manage the KMS key and monitor the key rotation process. Option C involves using a customer-managed AWS KMS key, but this requires the company to manually rotate the key every year, which introduces additional operational overhead. Option D involves encrypting the data with customer key material and creating a KMS key without key material, but this requires the company to manage the customer key material and import it into the KMS key, which introduces additional operational overhead.
God bless you, man! The most articulated answers, easy to understand. Good job!
But wrong :)
Reviewed it the second time. Some of them are wrong, indeed.
But... For A there is no reference to how often these keys are rotated, and to rotate to a new key, you need to upload it, which is operational overhead. So not only does it not necessarily meet the 'rotate keys every year' requirement, but every year it requires operational overhead. More importantly, the question states move the objects first, and then configure encryption, but ..."There is no change to the encryption of the objects that existed in the bucket before default encryption was enabled." from https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html So A is clearly wrong. For B, whilst you have to set up KMS once, you then don't have to anything else, which i would say is LEAST operational overhead.
The order of these events is being ignored here in my opinion. The encryption checkbox needs to be checked before data is moved into the S3 bucket or it will not be encrypted otherwise, you'll have to encrypt manually and reload into S3 bucket. If the box was checked before moving data into S3 then you are good to go !
https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html
SSE DOES not rotate encryption keys, it changes master key used to lock encryption keys which creates new ciphered key and stores it.
Ignoring the new changes that the default encryption is already enabled. I agree that the encryption should be configured before moving the data into the bucket. Otherwise, the existing objects will remain unencrypted. Correct Answer is B. Additionally, where is the reference that SSE-S3 will rotate keys every year (which is the question's requirement).
The good answer was B before may 2022, because the rotation schedule for AWS managed keys was 3 years (SSE-S3 is based on it)... From may 2022 the schedule rotation is 1 year, then A is now the best answer because there is NO operational task to do: S3 is by default encrypted at rest with SSE-S3 (rotation every year)... So it depends if the question has been updated since 2022
SSE-S3 rotates the keys when AWS wants it, not "every year" like required here.
No, I stand corrected. All AWS managed keys are automatically rotated every year. You cannot change this rotation schedule.
I want to find a source for this yearly rotation because SSE-S3 just rotates periodically and doesn't say it follows the same policy as other managed key. I think you may be right but just need a doc link
https://repost.aws/questions/QUES_1VN01TU-eRSO3LXergA/s3-managed-key-sse-s3-rotation-period
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
SSE-S3 - is free and uses AWS owned CMKs (CMK = Customer Master Key). The encryption key is owned and managed by AWS, and is shared among many accounts. Its rotation is automatic with time that varies as shown in the table here. The time is not explicitly defined. SSE-KMS - has two flavors: AWS managed CMK. This is free CMK generated only for your account. You can only view it policies and audit usage, but not manage it. Rotation is automatic - once per 1095 days (3 years), Customer managed CMK. This uses your own key that you create and can manage. Rotation is not enabled by default. But if you enable it, it will be automatically rotated every 1 year. This variant can also use an imported key material by you. If you create such key with an imported material, there is no automated rotation. Only manual rotation. SSE-C - customer provided key. The encryption key is fully managed by you outside of AWS. AWS will not rotate it.
AWS managed CMK rotates every 365 days (not 1095 days). Reference: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt
LEAST operational overhead = Amazon S3 managed encryption keys
AWS can change rotation period anytime but Customer says 'must be automatically rotated' hence answer should be B in this case.
Interestingly the answer for this used to be B, and now its A. After May 2022 AWS changed the rotation schedule for SSE-S3. See documentation here: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-aws-managed-keys . AWS managed keys AWS KMS automatically rotates AWS managed keys every year (approximately 365 days). You cannot enable or disable key rotation for AWS managed keys. In May 2022, AWS KMS changed the rotation schedule for AWS managed keys from every three years (approximately 1,095 days) to every year (approximately 365 days). New AWS managed keys are automatically rotated one year after they are created, and approximately every year thereafter. Existing AWS managed keys are automatically rotated one year after their most recent rotation, and every year thereafter. ---- If this comes up in the exam, remember ! you can use SSE-S3 for yearly rotation now.
SSE-KMS - Customer managed keys - Automatic rotation - Guarantees yearly key rotation (unlike SSE-S3 where you do not have control on key rotation) and also meets the least operational overhead.
Option A: Utilizes server-side encryption with Amazon S3 managed encryption keys (SSE-S3), which is the simplest and most straightforward way to encrypt data stored in Amazon S3. SSE-S3 automatically handles key rotation, eliminating the need for manual key rotation. This solution provides encryption for the data in the S3 bucket without requiring any additional setup or management. Option B: Involves setting up a customer managed KMS key, enabling automatic key rotation, and then setting the S3 bucket's default encryption behavior to use the customer managed KMS key. While this option also provides encryption and automatic key rotation, it involves more setup and management compared to SSE-S3.
All options except A suggesting cusomer key, why customer key would be needed here.
B for sure
It's A. Because it's said that they need with LEAST operation overhead and S3 Managed Keys can rotate automatically every year without needing the user intervention. For the Customer Managed Keys, you need to do some configuration for that.
Both A and B are viable answers but A with SSE-S3 is least operational overhead. B will require customer to manage the key. ***HOWEVER*** note that SSE-S£ managed keys are rotated periodically so there is no user control on limiting the rotation to "once a year". For exam, probably read the question with full context and hope there is more detail in the actual exam!
Please see JayBee response below. Make sense.
Now "all AWS managed keys are automatically rotated every year. You cannot change this rotation schedule". However, if you insist that option A also specifies the order of steps then it would be wrong, you'd need to enable encryption BEFORE moving the data to the bucket. But per my understanding of English, the order is not specified, it's just a combination of things you do. Otherwise B would be the correct answer, but it has more operational overhead than A, at least now. Probably the question is old.
nowhere in this documentation states how often the keys are rotated, and only the key that encrypts the S3 encryption key actually gets to rotate. https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html
I'm voting B Each object in s3 using SSE-S3 uses separate key, this key is encrypted using another master key that is regularly rotated but AWS doesn't share how often it happens. With SSE-KMS you have option to tick: "Automatically rotate this KMS key every year.".
In 2023 the answer would be A. https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html states that S3 automatically uses SSE, and rotates the keys "regularly" which as far as I've understood is yearly
but based on this reference: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys it mentions varies, so i would stick with B
SSE-S3 are rotated automatically every year. Default behaviour.