Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For AWS DVA-C02 candidates, the confusion often lies in understanding key management distinctions and rotation capabilities with KMS keys. In production, this is about knowing exactly which KMS key type supports automatic rotation and integrates seamlessly with S3 encryption APIs. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
A software development team at NovaFleet, a fast-growing logistics startup, plans to migrate their sensitive operational data from on-premises storage to Amazon S3. The team must ensure the data is encrypted at rest. Security requirements dictate that encryption keys must support automatic annual rotation without any manual intervention.
Given the security policy, NovaFleet mandates using AWS Key Management Service (KMS) to manage encryption keys for this S3 data.
The Requirement: #
Identify the appropriate KMS key type that enables NovaFleet to encrypt the S3 objects with keys managed by AWS KMS and supports automatic key rotation on an annual schedule.
The Options #
- A) Amazon S3 managed keys (SSE-S3)
- B) Symmetric customer managed keys (CMKs) with key material generated by AWS
- C) Asymmetric customer managed keys with key material generated by AWS
- D) Symmetric customer managed keys with imported key material
Google adsense #
leave a comment:
Correct Answer #
B) Symmetric customer managed keys (CMKs) with key material generated by AWS
Quick Insight: The Developer Imperative #
Automatic key rotation is only supported on symmetric CMKs created and managed by AWS KMS. Asymmetric keys do not support automatic rotation, and importing your own key material disables the automatic rotation feature. S3 managed keys (SSE-S3) are managed by AWS but do not allow customer control or rotation configuration via KMS.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option B
The Winning Logic #
AWS KMS Customer Managed Keys (CMKs) come in symmetric and asymmetric types. Symmetric CMKs use the same key to encrypt and decrypt data, which is the type supported by AWS KMS for automatic key rotation.
-
When you create a symmetric CMK in AWS KMS with key material generated by AWS, you can enable automatic key rotation on a yearly basis. This meets NovaFleet’s security requirement for annual automatic rotation.
-
This CMK can then be used to encrypt S3 data via SSE-KMS integration, ensuring data at rest is secured under your control.
The Trap (Distractor Analysis): #
-
Option A: Amazon S3 managed keys (SSE-S3) are fully managed by AWS but do not use KMS keys; rotation is internal to the service and you cannot manage or control keys, so this fails the requirement to use KMS.
-
Option C: Asymmetric CMKs are intended for cryptographic operations like signing or asymmetric encryption, but KMS does not support automatic rotation on asymmetric keys. Hence, it violates the key rotation requirement.
-
Option D: Symmetric CMKs with imported key material mean you upload your own keys. Imported keys cannot have key rotation enabled since AWS KMS does not rotate imported keys automatically, breaking the requirement for automatic rotation.
The Technical Blueprint #
# Example: Creating a symmetric CMK with AWS-managed key material and enabling automatic rotation
aws kms create-key --description "NovaFleet S3 Encryption Key" --key-usage ENCRYPT_DECRYPT --origin AWS_KMS
# Enable automatic rotation on the symmetric CMK
aws kms enable-key-rotation --key-id <key-id>
The Comparative Analysis #
| Option | Key Type | Key Material Origin | Supports Auto Rotation | Use Case | Pros | Cons |
|---|---|---|---|---|---|---|
| A | AWS managed key (SSE-S3) | AWS managed | Yes (internal) | Basic S3 encryption | No management overhead | No customer key control |
| B | Symmetric customer managed key (CMK) | AWS generated | Yes | Controlled encryption with rotation | Full control, rotation support | Requires KMS management |
| C | Asymmetric customer managed key (CMK) | AWS generated | No | Signing, asymmetric crypto | Specialized crypto operations | No rotation, limited S3 use |
| D | Symmetric customer managed key (CMK) | Imported | No | Customer-supplied keys | Full control of key material | No auto rotation |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick Symmetric customer managed CMKs with AWS generated key material when the question requires KMS key usage and automatic rotation.
Real World #
In production, many organizations import their own key material for compliance reasons, but this trade-off disables automatic rotation and adds operational overhead. Developers and security teams must weigh the benefits of rotation automation versus control over key provenance.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.