AWS Key Management Service (KMS) is the central service for managing encryption keys.
Key Types:
aws/s3, aws/ebs). Free, automatic rotation every year.Key Features:
Services with KMS Integration:
AWS Certificate Manager (ACM) manages SSL/TLS certificates.
TLS Termination Points:
Create a customer managed KMS key, use it to encrypt an S3 bucket, and verify encryption.
15 minutes
Step 1: Create a KMS key
KEY_ID=$(aws kms create-key \
--description "SAA-C03 Study Key" \
--query 'KeyMetadata.KeyId' --output text)
echo "Key ID: $KEY_ID"
aws kms create-alias \
--alias-name alias/saa-study-key \
--target-key-id $KEY_ID
Step 2: Create an S3 bucket with KMS encryption
BUCKET_NAME="saa-study-encrypted-$(date +%s)"
aws s3api create-bucket --bucket $BUCKET_NAME --region us-east-1
aws s3api put-bucket-encryption --bucket $BUCKET_NAME \
--server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "'$KEY_ID'"
}
}
]
}'
Step 3: Upload a file and verify encryption
echo "Test encryption content" > test-file.txt
aws s3 cp test-file.txt s3://$BUCKET_NAME/test-file.txt
aws s3api head-object --bucket $BUCKET_NAME --key test-file.txt
# Verify ServerSideEncryption is "aws:kms" and SSEKMSKeyId matches your key
Step 4: Enable automatic key rotation
aws kms enable-key-rotation --key-id $KEY_ID
aws kms get-key-rotation-status --key-id $KEY_ID
aws s3 rm s3://$BUCKET_NAME --recursive
aws s3api delete-bucket --bucket $BUCKET_NAME
aws kms disable-key --key-id $KEY_ID
aws kms schedule-key-deletion --key-id $KEY_ID --pending-window-in-days 7
aws kms delete-alias --alias-name alias/saa-study-key
rm test-file.txt
| # | Question | Answer |
|---|---|---|
| 1 | What are the three types of KMS keys? | AWS Managed Keys, Customer Managed Keys (CMKs), AWS Owned Keys |
| 2 | How much does a Customer Managed Key cost? | $1/month per key + API call charges |
| 3 | What is envelope encryption? | KMS encrypts a data key, which encrypts your data. Only the encrypted data key is stored with the data. |
| 4 | Are ACM public certificates free? | Yes, and they auto-renew |
| 5 | Can you export ACM public certificates? | No. Only ACM Private CA certificates can be exported. |
| 6 | How often does KMS automatic rotation rotate key material? | Every year (365 days) |
| 7 | What is S3 Object Lock? | WORM compliance that prevents object deletion for a retention period |
| 8 | What does AWS Backup support? | EC2, EBS, RDS, DynamoDB, EFS, FSx, Storage Gateway |
| 9 | What is DynamoDB PITR? | Point-in-Time Recovery — continuous backups with restore to any second in the last 35 days |
| 10 | What is MFA Delete in S3? | Requires MFA to permanently delete versioned objects or change versioning state |
A company needs to encrypt data at rest in an S3 bucket using a key they manage and can audit. They want automatic annual key rotation. Which encryption option should they use?
Correct: C
SSE-KMS with a customer managed key gives the company full control over the key, including audit via CloudTrail and automatic rotation. SSE-S3 uses AWS-managed keys with no customer control. AWS managed KMS keys rotate automatically but cannot be audited at the same level. SSE-C requires the customer to manage key rotation manually.
Domain: 1 — Design Secure Architectures Task: 1.3
A company needs to ensure that SSL/TLS certificates for their ALB are automatically renewed. Which service should they use?
Correct: B
ACM provides free public SSL/TLS certificates that are automatically renewed when used with supported AWS services like ALB, CloudFront, and API Gateway. KMS manages encryption keys, not certificates. Secrets Manager stores secrets but does not issue certificates. CloudHSM is for hardware-based key management.
Domain: 1 — Design Secure Architectures Task: 1.3
A company must comply with regulations requiring that backup data cannot be deleted for 7 years. Which AWS feature supports this requirement?
Correct: C
AWS Backup Vault Lock provides WORM (Write Once Read Many) compliance, preventing backup deletion for a specified retention period. This meets regulatory requirements for immutable backups. S3 Lifecycle Policies manage transitions and expiration but do not prevent deletion. Versioning protects against accidental deletion but versions can still be deleted. Intelligent-Tiering is a storage class, not a compliance feature.
Domain: 1 — Design Secure Architectures Task: 1.3
A solutions architect needs to protect S3 objects from accidental deletion while maintaining the ability to recover previous versions. Which combination of features should be enabled?
Correct: B
S3 Versioning preserves all versions of objects, allowing recovery of previous versions. MFA Delete adds an extra layer of protection by requiring MFA to permanently delete versioned objects or change the versioning state. Object Lock is for WORM compliance (more restrictive than needed). Lifecycle Policies and CRR do not prevent deletion. Encryption and logging are unrelated to deletion protection.
Domain: 1 — Design Secure Architectures Task: 1.3
A company uses Amazon RDS with sensitive data. They need to encrypt existing unencrypted RDS instances. What is the correct approach?
Correct: B
You cannot enable encryption on an existing unencrypted RDS instance. The correct approach is to create a snapshot, copy the snapshot with encryption enabled (using KMS), and then restore a new instance from the encrypted snapshot. Option A is not possible. Option C is not how RDS encryption works. Option D enables encryption in transit, not at rest.
Domain: 1 — Design Secure Architectures Task: 1.3