SaveMyCert
Log in
5 of 5 free questions left today·for unlimited practice
Design Secure Architectures

AWS Data Security Controls: KMS Encryption, S3 Encryption, and Key Management

24 min readSAA-C03 · Design Secure ArchitecturesUpdated

Data security controls decide the outcome of more SAA-C03 questions than almost any other Domain 1 topic, because nearly every scenario ends with data sitting in S3, EBS, or RDS — and the exam wants to know whether you can protect it to a stated requirement, not just switch encryption on. The decisions that matter are ownership decisions: who controls the encryption key (AWS, you through KMS, or you alone through CloudHSM), who can read the data (IAM policies, bucket policies, Block Public Access), which path the data travels (TLS everywhere, VPC endpoints for private routes), and how long the data must survive unchanged (Object Lock, versioning, lifecycle rules, cross-Region copies). This lesson covers the full scope of Task 1.3: encryption at rest and in transit, KMS key types and CloudHSM, S3 encryption options, EBS and RDS encryption paths, key rotation and certificate renewal, data governance, and compliance-driven retention — each framed as the decision rule the exam actually tests.

What you’ll learn
  • Choose between AWS managed keys, customer managed keys, and CloudHSM based on control, audit, and cross-account requirements
  • Select the right S3 encryption option (SSE-S3, SSE-KMS, client-side) for a stated compliance or audit requirement
  • Apply the snapshot-copy path to encrypt existing unencrypted EBS volumes and RDS databases
  • Design TLS termination with ACM certificates, including the us-east-1 requirement for CloudFront, and enforce HTTPS end to end
  • Distinguish automatic from manual key rotation and know which certificate types ACM renews on its own
  • Map retention and immutability requirements to S3 Object Lock, versioning, lifecycle rules, and cross-Region replication

Encryption at rest: pick the KMS key type by who must control it

Almost every AWS service encrypts data at rest by calling AWS Key Management Service, so the real architectural decision is never "should I encrypt" — it is which kind of key the service should use. KMS offers three ownership levels, and SAA-C03 scenarios are written so that only one of them satisfies the requirement.

AWS owned keys belong to the service itself. You never see them, cannot audit their use per-account, and cannot control them; they simply provide baseline encryption at no cost. AWS managed keys (the aws/s3, aws/ebs style keys) live in your account and are visible in the KMS console, but the control stops there: AWS rotates them automatically every year, you cannot edit their key policies, you cannot use them in cross-account scenarios, and you cannot disable or delete them. They are free and require zero administration — which is exactly what makes them wrong the moment a scenario demands control.

Customer managed keys are the answer whenever the requirement includes any of these words: control rotation, restrict which roles or services can use the key, share encrypted data with another account, disable the key immediately, or audit against a key policy you wrote. You author the key policy (the resource-based policy that is the ultimate authority over the key — even account administrators are locked out if the policy does not allow them), you can issue grants for temporary, programmatic access (how services like EBS use your key on your behalf), and you can allow cross-account use by combining a key policy statement for the external account with an IAM policy in that account. Customer managed keys cost a monthly fee per key plus API-request charges, and deletion is deliberately hard: you schedule it with a 7–30 day waiting period, because destroying a key makes everything it encrypted permanently unreadable.

Underneath all of this sits envelope encryption: KMS keys never leave KMS and can only encrypt small payloads directly, so services generate a data key, encrypt your actual data with it locally, then use the KMS key only to encrypt the data key. The encrypted data key is stored alongside the data; decryption means asking KMS to unwrap the data key first. That is why disabling one KMS key can instantly cut off access to terabytes of data — and why CloudTrail records a KMS API call every time encrypted data is opened.

The exam probes this as an elimination exercise: a scenario states a requirement like "the security team must approve which principals can use the encryption key" or "encrypted snapshots must be shared with a partner account," and only the customer managed key option survives. Default answers (SSE with AWS managed keys) appear as distractors that encrypt the data but fail the control requirement.

AWS KMS vs AWS CloudHSM: how much isolation the compliance team demands

KMS is a multi-tenant managed service: your keys are protected by hardware security modules that AWS operates and shares across customers, with strong logical isolation. For most workloads — including regulated ones — that is enough, and KMS wins on integration: every major AWS service can call it natively, CloudTrail logs every operation, and IAM plus key policies govern access. AWS CloudHSM exists for the narrower case where compliance language demands more than logical isolation: a dedicated, single-tenant hardware security module, validated to FIPS 140 Level 3, inside your VPC, where you manage the users and keys on the device and AWS has no access to your key material at all.

DimensionAWS KMS (customer managed keys)AWS CloudHSM
TenancyMulti-tenant HSM fleet managed by AWSDedicated single-tenant HSM in your VPC
Who controls key materialYou control policy and usage; AWS operates the HSMsYou alone — AWS cannot see or export your keys
Access controlIAM + key policies + grantsHSM users you create and manage on the device
Audit trailCloudTrail logs every API callHSM audit logs (plus client-side logging you operate)
AWS service integrationNative across S3, EBS, RDS, and most servicesNot native; used via industry-standard libraries (PKCS #11, JCE) or as a KMS custom key store
Operational burdenMinimal — fully managedYou manage the cluster, users, backups, and availability
When it winsAlmost always: control + audit + integration with least overheadRegulations mandate single-tenant FIPS-level hardware, you must run your own PKI or database TDE with keys you exclusively hold, or contractual terms forbid the provider from any key access

Two nuances keep appearing in questions. First, CloudHSM and KMS are not mutually exclusive: a KMS custom key store backs KMS keys with your CloudHSM cluster, giving you KMS's service integration on top of single-tenant hardware — the answer when a scenario needs both native S3/EBS integration and dedicated HSMs. Second, CloudHSM shifts operational responsibility to you: durability, user management, and client configuration are your problem, so it loses every "LEAST operational overhead" contest.

On the exam, read the compliance sentence literally. "Auditable, centrally controlled encryption keys" means KMS customer managed keys. "Dedicated hardware," "single-tenant," "the cloud provider must never be able to access key material," or "FIPS 140 Level 3 hardware you control" means CloudHSM. Choosing CloudHSM for an ordinary audit requirement is the classic over-engineering trap.

Encryption in transit: TLS with ACM, and where the certificate must live

Encryption at rest protects stored data; TLS protects data moving between clients and your architecture and between tiers inside it. On AWS the certificate machinery is AWS Certificate Manager (ACM): it issues public TLS certificates for domains you can validate (DNS validation is the practical choice), at no cost, and deploys them to the managed endpoints that terminate TLS for you — Application Load Balancers, CloudFront distributions, and API Gateway. You cannot export ACM public certificates to install on your own EC2 instances; ACM certificates only work on integrated AWS services. If you need certificates on instances or on-premises servers, that is ACM Private CA territory (or certificates you bring yourself).

The placement rule the exam states precisely and tests relentlessly: ACM certificates are regional resources. A certificate can only be attached to resources in the Region where it was requested or imported — an ALB in eu-west-1 needs a certificate in eu-west-1. The one carve-out is CloudFront: because CloudFront is a global service, the ACM certificate for a distribution must exist in us-east-1 (N. Virginia), regardless of where your origins or users are. A scenario describing a CloudFront distribution that cannot use a custom domain certificate created in ap-southeast-2 is testing exactly this fact, and the fix is to request the certificate again in us-east-1.

Issuing a certificate is half the job; enforcing HTTPS is the other half, and each service has its own lever. On an ALB, keep the HTTP :80 listener but configure it to redirect to HTTPS. On CloudFront, set the viewer protocol policy to redirect HTTP to HTTPS (or HTTPS-only), and separately choose the origin protocol policy so the CloudFront-to-origin leg is also encrypted. For S3, add a bucket policy that denies all requests where aws:SecureTransport is false — the standard answer for "ensure data in the bucket can only be accessed over encrypted connections." For databases and internal services, require TLS in the client connection settings or parameter groups.

SAA-C03 tests transit encryption in two shapes: placement questions (which Region does this certificate go in — the answer hinges on ALB-regional vs CloudFront-us-east-1) and enforcement questions ("the security team requires all access to be encrypted in transit" — the answer is the redirect, protocol policy, or aws:SecureTransport deny, not merely "attach a certificate").

Key rotation and certificate renewal: what rotates itself and what you must rotate

Compliance frameworks require keys and certificates to be rotated, and the exam wants you to know which mechanisms are automatic, which are opt-in, and which are entirely manual.

For KMS: AWS managed keys rotate automatically every year, and you cannot change that — no faster, no slower, no off switch. Customer managed keys support optional automatic rotation: you enable it, and KMS transparently generates new key material on a yearly cadence by default. The crucial mechanic is that rotation keeps all previous key material: the key's ID and alias never change, old ciphertexts are still decrypted with the material that created them, and nothing needs to be re-encrypted. Rotation limits how much data any single generation of key material protects; it does not retire old ciphertexts. Two cases fall outside automatic rotation entirely: keys with imported key material (bring-your-own-key) and keys in custom key stores cannot auto-rotate — for those you perform manual rotation by creating a new key and re-pointing the alias to it. Aliases are the reason applications should always reference keys by alias: manual rotation then requires no code change, but note that manual rotation means new data uses the new key while old data still requires the old key to remain available.

For certificates: ACM automatically renews the public certificates it issued, as long as the certificate is in use and DNS validation records remain in place — this is the single biggest operational argument for DNS validation over email validation, which requires a human to respond. Imported certificates are never renewed by ACM: you must obtain a new certificate from your CA and re-import it before expiry (ACM sends expiration notices, but the work is yours). Certificates from ACM Private CA used with integrated services also renew automatically.

Exam probes here are subtle rather than deep. A scenario requiring "encryption keys rotated automatically every year with no application changes" is satisfied by KMS automatic rotation — a distractor will propose manually re-encrypting data. A scenario where certificates keep expiring and taking the site down points to imported certificates or email validation; the fix is ACM-issued certificates with DNS validation. And any requirement to rotate on a custom schedule or with imported material pushes you to manual rotation via aliases.

S3 encryption options: SSE-S3 vs SSE-KMS vs client-side

S3 encrypts every new object by default with SSE-S3, so the exam question is never whether S3 data is encrypted — it is whether the default satisfies the stated requirement. The options differ on exactly two axes that scenarios exploit: who owns the key and what audit and access control you get over it.

OptionKey ownershipAudit trailWhen to choose
SSE-S3 (default)Keys fully managed by S3; you never see or manage themNo per-key audit — object access appears in logs, but there is no key policy and no KMS CloudTrail eventsBaseline encryption at rest with zero management and zero cost; no requirement mentions key control or key-usage auditing
SSE-KMSA KMS key — AWS managed (aws/s3) or, for real control, customer managedEvery encrypt/decrypt is a KMS API call logged in CloudTrail; key policy controls who can use the keyRequirements say audit key usage, control who can decrypt, separate key administrators from data users, or share with another account (customer managed key)
SSE-KMS + S3 Bucket KeysSame as SSE-KMSSame, with fewer individual KMS calls loggedHigh-request-volume buckets where per-object KMS calls drive cost — a bucket-level data key slashes KMS requests (recognition level)
SSE-CYou supply the key with every request; AWS uses it in memory and discards itYou must track key usage yourselfRare: you insist on holding keys but still want S3 to do the encryption work
Client-side encryptionEntirely yours — data is encrypted before uploadEntirely yoursThe strictest requirement: AWS must never hold plaintext or usable keys; encryption/decryption burden moves into your application

The decision rule compresses well. No key requirement → SSE-S3. Audit, key-level access control, or cross-account → SSE-KMS with a customer managed key. KMS request costs at massive scale → add Bucket Keys. "AWS must never see the plaintext" → client-side encryption — no server-side option can meet that wording, because every SSE variant has S3 performing the encryption on data it momentarily holds in plaintext. To mandate a particular encryption type on uploads, use a bucket policy that denies PutObject unless the request specifies the required server-side encryption header.

One more SSE-KMS behavior earns its own trap: because decryption requires KMS permissions, a principal can have full S3 permissions and still get access-denied on a KMS-encrypted object. Exam stems describe exactly that symptom — "the user has s3:GetObject but receives an error on some objects" — and the answer is missing kms:Decrypt on the key. Expect the S3 options to appear side by side as answer choices, differing only in key ownership; match the requirement's strongest word (audit, control, never-see-plaintext) to the table row that provides it.

EBS and RDS encryption: encrypt at creation, or take the snapshot path

Block storage and database encryption share one governing rule: encryption is set when the resource is created, and cannot be toggled on an existing resource in place. Everything the exam asks about EBS and RDS encryption is a consequence of that rule.

EBS volumes encrypt with a KMS key (the aws/ebs AWS managed key by default, or a customer managed key you specify), covering the volume, its snapshots, and data moving between the volume and the instance. Enable EBS encryption by default at the account/Region level and every new volume is encrypted without anyone remembering to tick the box — the standard answer to "ensure all future volumes are encrypted with LEAST operational overhead." Encryption is sticky in the safe direction: snapshots of an encrypted volume are encrypted, and volumes restored from encrypted snapshots are encrypted; you cannot strip encryption off. For an existing unencrypted volume, the path is fixed and worth memorizing as a sequence: snapshot the volume → copy the snapshot with encryption enabled (choosing your KMS key) → create a new volume from the encrypted copy → swap it onto the instance. The snapshot-copy step is also how you re-encrypt under a different key, and how you share encrypted data across accounts — which requires a customer managed key, because snapshots encrypted with the default AWS managed key cannot be shared.

RDS follows the same shape. Enable encryption at instance creation and it covers the instance's storage, automated backups, snapshots, and read replicas. You cannot encrypt a running unencrypted instance, and you cannot restore an unencrypted snapshot directly into an encrypted instance. The migration path mirrors EBS: take a snapshot → copy the snapshot with encryption enabled → restore a new instance from the encrypted copy → repoint the application (expect a cutover window, or use replication tooling to narrow it). Replicas add a regional wrinkle: KMS keys are regional, so a cross-Region encrypted read replica or snapshot copy is encrypted with a key in the destination Region, which you specify during the copy.

Exam scenarios here are procedural: "an unencrypted production database must be encrypted to meet a new compliance requirement — what should the solutions architect do?" The correct chain is always snapshot → encrypted copy → restore/create → cut over. Distractors offer the impossible shortcuts: "modify the instance to enable encryption" or "enable encryption on the existing volume." If an option flips encryption on in place, eliminate it.

Data access and governance: bucket policies, Block Public Access, private paths, and Macie

Encryption protects data from whoever lacks the key; access controls decide who legitimately gets to it, and Task 1.3 expects you to layer them. The first layer is the policy pair. IAM policies are identity-based: attached to users and roles, they answer "what can this principal do, across all services?" S3 bucket policies are resource-based: attached to the bucket, they answer "who may touch this bucket, and under what conditions?" Within one account, access is granted if either an IAM policy or the bucket policy allows it and nothing explicitly denies it — an explicit deny anywhere always wins. Bucket policies earn their place in three situations IAM alone handles badly: cross-account access (grant another account's principals access without creating roles for each), bucket-wide guardrails (deny unencrypted uploads, deny non-TLS transport), and condition-based restriction (allow access only from specific VPC endpoints or IP ranges).

The second layer is the blunt instrument: S3 Block Public Access. Applied at the account or bucket level, it overrides any bucket policy or ACL that would otherwise expose data publicly. It is the exam's answer to "prevent any bucket in the organization from ever being made public" — a preventive control, superior to detective alternatives like alerting on public buckets after the fact, and it should be on at the account level unless a bucket genuinely serves public content.

The third layer is the network path. By default, traffic from a VPC to S3 resolves to public service endpoints. A VPC gateway endpoint for S3 (or DynamoDB) keeps that traffic on the AWS network with no internet gateway or NAT in the path, at no charge; interface endpoints (AWS PrivateLink) do the same for most other services via an ENI in your subnet. The governance move the exam loves: combine the endpoint with a bucket policy that denies access unless the request arrives via your endpoint (condition on aws:sourceVpce) — now the data has exactly one door, and it is private. "Data must not traverse the public internet" is a VPC endpoint requirement, not an encryption requirement.

The fourth layer is knowing what you are protecting: Amazon Macie uses machine learning and pattern matching to discover sensitive data — PII, credentials, financial records — in S3, and reports where it lives and whether the buckets holding it are public or unencrypted. Any stem containing "identify buckets containing personally identifiable information" or "discover sensitive data at scale" is a Macie question. Expect governance items to be layering questions: the correct answer combines a preventive control (Block Public Access, deny-conditions) with the private path or discovery tool the requirement names, while distractors offer a single control or a detective one where prevention was demanded.

Classification, retention, and recovery: Object Lock, lifecycle, replication, and backups

Compliance requirements about data usually arrive as sentences about time: keep it for seven years, make it undeletable, be able to recover it, keep a copy in another Region. Each phrase maps to a specific control, and the exam grades you on the mapping.

Immutability is S3 Object Lock: write-once-read-many (WORM) protection with a retention period per object, on a bucket with versioning enabled (a prerequisite). Its two modes are the decision point. Governance mode protects objects but lets specially-permissioned users override or shorten retention — right for internal policy where administrators need an escape hatch. Compliance mode allows no one, not even the root user, to delete an object version or shorten its retention until the period expires — the only correct answer when the stem says "regulatory requirement," "must not be deleted by any user," or "MOST secure" retention. A legal hold is the third tool: indefinite protection with no expiry, applied and removed explicitly, for litigation scenarios where the end date is unknown.

Recovery from mistakes is versioning on its own: overwrites and deletes become recoverable prior versions (a delete merely adds a delete marker), with MFA Delete as an extra gate on permanent deletion. Cost-aligned retention is lifecycle configuration: transition objects to cheaper storage classes as they age — Standard-IA, then the Glacier tiers for archives — and expire them (and their noncurrent versions) when the retention clock runs out. A seven-year retention requirement is typically Object Lock for immutability plus a lifecycle rule moving the data to a Glacier class for cost, and distractors will offer one without the other.

Geographic and organizational survival is replication and backup — and they are not the same control. Cross-Region Replication (CRR) continuously copies new S3 objects to a bucket in another Region (versioning required on both sides), answering requirements to keep data hundreds of miles away or serve it closer to a second team; it can even replicate into a different account, isolating the copy from a compromise of the source account. But replication faithfully propagates changes — it is availability, not point-in-time protection. Backups — RDS automated backups and snapshots, EBS snapshots, and AWS Backup for centralized, policy-driven scheduling across services — give you point-in-time recovery, and AWS Backup Vault Lock extends WORM immutability to the backups themselves. Exam stems distinguish these by intent: "recover from accidental deletion or corruption" needs versioning or backups; "retain in a second Region" needs CRR or cross-Region backup copies; "prevent anyone from tampering with retained data" needs Object Lock or Vault Lock in compliance mode.

Worked scenarios: turning constraint language into control choices

Scenario 1 — auditable keys and a partner account. A financial-services company stores reports in S3. Regulators require that the security team control exactly which principals can decrypt the data, that every decryption be auditable, and that a partner AWS account be able to read one prefix. Work the requirements against the key-type ladder. SSE-S3 fails immediately: no key policy, no key-usage audit trail. SSE-KMS with the AWS managed aws/s3 key gets CloudTrail logging of key use but fails twice — its key policy cannot be edited, and AWS managed keys cannot be used cross-account. CloudHSM is over-engineering: nothing in the requirement says single-tenant hardware, and it would add operational burden without adding a required capability. The answer is SSE-KMS with a customer managed key: the security team authors the key policy (control), CloudTrail records every encrypt/decrypt (audit), and a key policy statement plus the partner's IAM policies grant cross-account decryption — paired with a bucket policy granting the partner account access to the prefix. This elimination pattern — each stronger requirement killing one more option — is exactly how the real items are constructed.

Scenario 2 — the unencrypted production database. An audit finds a production RDS instance unencrypted; the new policy requires encryption at rest with a customer managed key, with minimal disruption. There is no in-place toggle, so any option that "modifies the instance to enable encryption" is wrong by mechanism. The path: snapshot the instance → copy the snapshot with encryption enabled, selecting the customer managed key → restore a new instance from the encrypted copy → cut the application over (a maintenance window, or replication to narrow the gap). The same reasoning answers the EBS variant: snapshot, encrypted copy, new volume, swap. When two answer options both reach an encrypted database, prefer the one that follows this exact sequence; the distractor usually skips the copy step or claims a direct restore of an unencrypted snapshot into an encrypted instance.

Scenario 3 — seven years, untouchable. A healthcare provider must retain records for seven years, guarantee no employee — including administrators — can delete or alter them, and minimize storage cost. "No one including administrators" selects Object Lock in compliance mode (governance mode fails: privileged users can override it), which requires versioning. Cost drives a lifecycle rule transitioning records to a Glacier storage class. If the stem adds "survive a Regional disaster," layer Cross-Region Replication to a second locked bucket. Three requirements, three controls, one answer option that contains all three — the option with only two is the trap.

Tip. SAA-C03 turns Task 1.3 into elimination problems: a scenario states an encryption requirement with one qualifying phrase — audit every key use, share with another account, AWS must never see plaintext, dedicated single-tenant hardware — and only one rung of the key-ownership ladder (SSE-S3 → SSE-KMS with AWS managed key → customer managed key → client-side/CloudHSM) satisfies it, while cheaper rungs appear as distractors. Procedural traps test whether you know encryption is fixed at creation: any option that enables encryption in place on an existing EBS volume or RDS instance is wrong, and the snapshot → encrypted-copy → restore sequence is the correct chain. Certificate questions hinge on placement (regional ACM certs vs the CloudFront us-east-1 rule) and on what renews itself (DNS-validated ACM certs) versus what you must re-import. Compliance and retention stems reward literal reading: "no user, including administrators" means Object Lock compliance mode, "identify PII" means Macie, "never traverse the public internet" means VPC endpoints, and "prevent any bucket from being public" means account-level Block Public Access.

Key takeaways
  • Requirement mentions controlling key policies, rotation, disabling keys, or cross-account access → customer managed KMS key; AWS managed keys allow none of those.
  • "Single-tenant," "dedicated hardware," or "AWS must never access key material" → CloudHSM; a plain audit/control requirement → KMS (CloudHSM loses every LEAST-operational-overhead contest).
  • SSE-S3 for baseline encryption; SSE-KMS (customer managed key) when you must audit or control key usage; client-side encryption only when AWS must never see plaintext; Bucket Keys cut KMS costs at scale.
  • EBS/RDS encryption is set at creation — encrypting existing resources is always snapshot → copy with encryption → restore/create new → cut over; in-place toggles are distractor bait.
  • ACM certificates are regional and must match the resource's Region — except CloudFront, which always requires the certificate in us-east-1; ACM auto-renews its own DNS-validated certs, never imported ones.
  • KMS automatic rotation keeps old key material, so nothing is re-encrypted and applications keying off the alias never change; imported key material can only be rotated manually via a new key + alias repoint.
  • Enforce transit encryption explicitly: ALB HTTP→HTTPS redirect, CloudFront viewer protocol policy, and S3 bucket policies denying aws:SecureTransport=false.
  • Retention language maps directly: "no one can delete, regulatory" → Object Lock compliance mode (+versioning); "recover from mistakes" → versioning/backups; "copy in another Region" → CRR; "find PII" → Macie; "never public" → Block Public Access.

Frequently asked questions

What is the difference between AWS managed keys and customer managed keys in KMS?

AWS managed keys (like aws/s3) are created and rotated by AWS for a specific service: they are free, rotate automatically every year, and require no administration, but you cannot edit their key policies, disable them, or use them across accounts. Customer managed keys are keys you create: you write the key policy, issue grants, enable or disable the key, choose whether automatic rotation is on, and can grant other AWS accounts permission to use the key. Any exam requirement involving control, custom access rules, or cross-account sharing points to a customer managed key; AWS managed keys only satisfy plain encryption-at-rest requirements.

What is the difference between SSE-S3 and SSE-KMS?

Both encrypt S3 objects server-side; they differ in key ownership and auditability. SSE-S3 (the default) uses keys that S3 manages entirely — free and zero-administration, but with no key policy and no key-usage audit trail. SSE-KMS uses a KMS key, so every encrypt and decrypt is a KMS API call logged in CloudTrail, and with a customer managed key you control exactly who can use the key, independent of S3 permissions. Choose SSE-KMS when the requirement mentions auditing key usage, restricting who can decrypt, or cross-account access; SSE-S3 when it only says data must be encrypted at rest.

How do I encrypt an existing unencrypted EBS volume or RDS database?

You cannot enable encryption in place on either. For EBS: create a snapshot of the volume, copy the snapshot with encryption enabled (choosing your KMS key), create a new volume from the encrypted copy, and attach it in place of the original. For RDS: take a snapshot, copy it with encryption enabled, restore a new instance from the encrypted copy, and repoint your application. Any answer option that modifies the existing volume or instance to switch encryption on is incorrect — the snapshot-copy-restore sequence is the only path, and it is also how you change to a different KMS key.

Why does CloudFront require an ACM certificate in us-east-1?

ACM certificates are regional resources, usable only by services in the Region where the certificate was requested or imported. CloudFront, however, is a global service — its edge locations are not tied to one Region — and it reads custom-domain certificates exclusively from the US East (N. Virginia) Region. So a certificate for a CloudFront distribution must be requested or imported in us-east-1, no matter where your origins, users, or other infrastructure live. Regional services like Application Load Balancers and API Gateway need the certificate in their own Region instead. Exam questions test this by placing the certificate in the wrong Region and asking why the distribution cannot use it.

When should I use AWS CloudHSM instead of KMS?

Use CloudHSM when compliance explicitly demands single-tenant, dedicated hardware security modules under your exclusive control — FIPS 140 Level 3 hardware where AWS has no access to your key material — or when you run workloads like your own PKI or database transparent data encryption with keys only you hold. For everything else, KMS is the better answer: it integrates natively with S3, EBS, RDS and most services, logs every operation to CloudTrail, and carries far less operational burden. If you need both dedicated hardware and native service integration, a KMS custom key store backed by your CloudHSM cluster combines them.

What is S3 Object Lock and when do I need compliance mode?

S3 Object Lock provides write-once-read-many (WORM) protection: object versions cannot be deleted or overwritten for a retention period you set, on a bucket with versioning enabled. Governance mode protects objects but allows users with special permission to override or shorten retention — suitable for internal policies needing an administrative escape hatch. Compliance mode allows no one, including the root user, to delete a protected version or reduce its retention until the period expires. Choose compliance mode whenever a scenario cites a regulatory mandate or says no user may delete the data. Legal holds add indefinite protection with no fixed end date.

How does KMS key rotation work — do I have to re-encrypt my data?

No re-encryption is needed. When KMS rotates a key — automatically every year for AWS managed keys, or on the opt-in schedule you enable for customer managed keys — it generates new key material but retains every previous version. The key ID and alias stay the same: new encryption uses the new material, and old ciphertexts decrypt with the material that created them, transparently. Keys with imported key material cannot rotate automatically; you rotate them manually by creating a new key and pointing the existing alias at it, which is why applications should always reference keys by alias rather than key ID.

Test yourself on this topic
Practice questions with full explanations.
Practice now

Sign up free to mark lessons complete, bookmark topics and track your exam readiness.