Question #1208
A financial institution must retain audit logs for 7 years. During this period, the logs must be immutable (cannot be modified or deleted) and encrypted at rest. The institution needs to automatically rotate encryption keys annually. Which combination of steps should be taken to meet these requirements with the LEAST operational overhead? (Choose two.)
Store the logs in Amazon S3. Use S3 Object Lock in governance mode.
Store the logs in Amazon S3. Use S3 Object Lock in compliance mode.
Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure key rotation.
Use server-side encryption with AWS Key Management Service (AWS KMS) customer managed keys. Configure key rotation.
Use server-side encryption with AWS Key Management Service (AWS KMS) customer provided (imported) keys. Configure key rotation.
Explanation
The correct answers are B and D.
- B: S3 Object Lock in compliance mode ensures immutability by preventing object deletion/modification, even by root users, meeting the 7-year retention requirement. Governance mode (A) allows exceptions, making it less strict.
- D: AWS KMS customer-managed keys support automatic annual key rotation, aligning with the requirement. SSE-S3 (C) uses AWS-managed keys with automatic rotation not configurable to annual. Imported keys (E) cannot be automatically rotated.
Key Points:
1. Use S3 Object Lock in compliance mode for strict immutability.
2. Use AWS KMS customer-managed keys for customizable annual key rotation.
Answer
The correct answer is: BD