AIncorrect
Amazon CloudWatch
Amazon CloudWatch is a monitoring service that handles metrics, logs, and alarms.
It is not a service that creates and manages encryption keys, so this is incorrect.
A company wants to encrypt the data it stores in Amazon S3 for an AI application and to centrally create, manage, and rotate the keys used for that encryption. Which AWS service is the MOST suitable?
1 / 1
Select an answer
CorrectD
Explanation
A question about choosing the AWS service for centrally managing encryption keys.
- 1「encrypt the data it stores」Keys for encryption at rest are needed
- 2「centrally create, manage, and rotate the keys」AWS KMS, specialized in key management, applies
BIncorrect
Amazon Macie
Amazon Macie is a service that discovers and classifies sensitive data (such as personal information) in S3.
Its purpose is discovering sensitive data, and it is not a service that manages encryption keys, so this is incorrect.
CIncorrect
AWS CloudTrail
AWS CloudTrail is an audit log service that records who called which API and when.
Its purpose is recording API actions, and it is not a service that manages encryption keys, so this is incorrect.
DCorrect
AWS KMS
Correct. AWS KMS (Key Management Service) is a managed service that lets you centrally create, manage, and rotate the keys used for encryption. It integrates with S3 and many AWS services and is used for encrypting data at rest.
Key Takeaway
Note how the correct answer, AWS KMS, works.
- KMS is a managed service that centrally creates, manages, and rotates encryption keys.
- It integrates with many AWS services, starting with S3, and is used for encryption at rest.
- Access to keys can also be controlled with IAM.
CloudWatch (monitoring), Macie (sensitive data discovery), and CloudTrail (API log) serve other purposes.