AWS · SAA-C03

Data Protection And Encryption Design — AWS Solutions Architect (SAA-C03)

4%of exam questions (8 of 200)

Key ownership determines which KMS configuration applies

Architecture requirement: encrypt sensitive data at rest with auditable, controllable key access. Competing choices: AWS managed keys (aws/service), customer managed keys (CMK), or customer-provided keys (SSE-C for S3). Deciding constraint: does the scenario require customer control over key rotation, cross-account access, or key revocation? AWS managed keys are opaque — you cannot grant cross-account access or disable them independently. When the scenario specifies key control, rotation policy, or compliance requirements around key custody, the answer requires a CMK.

What This Pattern Tests

The exam tests encryption decision points across services. S3 offers SSE-S3 (AWS manages keys, zero config), SSE-KMS (customer-managed KMS key with CloudTrail logging of every key use, key policy controls, automatic rotation), and SSE-C (you provide the key per request, AWS never stores it). The decision depends on requirements: "encrypt at rest" = SSE-S3. "Audit every access to encrypted data" = SSE-KMS with CloudTrail. "Regulatory requirement to control HSM" = CloudHSM. Cross-account access to encrypted data requires KMS key policies that grant the other account permission — a common exam scenario.

Decision Axis

Key management responsibility (zero vs. policy control vs. full ownership) maps to compliance requirements.

Associated Traps

Near-Right Architecture (4)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Service Confusion (4)Kinesis Data Streams vs. Kinesis Data Firehose — one word apart, completely different delivery models.

More Top Traps on This Exam

Scope Overreach · 16%CloudHSM with custom key stores for internal reports — when SSE-S3 is one checkbox.

Decision Rules

Whether the automatic managed rotation requirement for RDS credentials selects AWS Secrets Manager over Parameter Store SecureString, because Secrets Manager provides a native RDS rotation Lambda integration while Parameter Store requires the architect to author, deploy, and maintain a custom rotation function.

AWS Secrets ManagerAWS Systems Manager Parameter StoreAmazon RDS

Should the architect configure SSE-S3 (AWS-managed AES-256 key) or SSE-KMS with a customer-managed key (CMK) — both encrypt at rest, but only SSE-KMS with a CMK delivers customer key-policy control and per-usage CloudTrail visibility required by the auditability and customer-controlled-key-policy constraints.

AWS Key Management ServiceAmazon S3

Domain Coverage

Design Secure Architectures

Difficulty Breakdown

Medium: 4Hard: 4

Build recognition speed →

See all SAA-C03 patterns →