🔑 AWS Key Management Service (KMS) - SAA-C03 Practice Questions

KMS creates and manages encryption keys. Master CMKs, envelope encryption, key rotation, key policies, and integration with S3, EBS, RDS, and other services.

15Questions Available
1Exam Domains

Practice KMS Questions Now

Start a timed practice session focusing on AWS Key Management Service (KMS) topics from the SAA-C03 question bank.

Start SAA-C03 Practice Quiz →

How KMS Is Really Tested in SAA-C03

KMS questions focus on key governance rather than basic encryption concepts. The exam checks whether your key policy, IAM policy, and service integration model align with least privilege and compliance goals.

SAA-C03 frequently distinguishes between AWS-managed keys and customer-managed keys. The right choice is driven by audit, lifecycle control, and cross-account sharing requirements.

In secure design questions, the strongest answer usually combines encryption at rest with explicit access boundaries and monitored key usage.

KMS architecture choices that commonly appear in SAA-C03

Decision PointOption AOption BExam Takeaway
Key ownership modelCustomer managed KMS keys with explicit key policies and rotation controlsService default managed keys with limited policy customizationIf compliance requires granular control and auditability, customer managed keys are usually expected.
Cross-account access patternExplicit key policy grants and tightly scoped IAM permissionsBroad wildcard permissions with minimal key policy constraintsCross-account encryption access scenarios usually reward explicit, narrowly scoped key policy design.
Application encryption implementationEnvelope encryption using data keys for scale and performanceDirectly encrypt every payload with KMS API callsLarge-scale workload scenarios often expect envelope encryption rather than direct per-object KMS calls.

Regulated workload encryption governance

A regulated application stores sensitive data in multiple AWS services and needs strict key control, access auditing, and periodic rotation assurance.

  • Use customer managed keys for sensitive data domains.
  • Define key policies that restrict administrative and usage actions by role.
  • Integrate CloudTrail monitoring for key usage and key policy changes.
  • Document rotation and key disablement recovery procedures.

Common Exam Trap: Relying on broad IAM administrator permissions without explicit key policy boundaries is a frequent security anti-pattern in exam options.

SAA-C03 KMS Question Bank (15 Questions)

Browse all 15 practice questions covering AWS Key Management Service (KMS) for the SAA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Design Secure Architectures

    A company is using a Customer Managed Key (CMK) in AWS KMS to encrypt EBS volumes. A separate audit team needs to be able to view the key metadata and audit usage logs but must strictly be prevented from using the key for cryptographic operations (encrypt/decrypt). How should the Key Policy be configured?

    ACreate a separate IAM policy for the auditors with `kms:Describe*` and `kms:List*`. Deny `kms:Encrypt` and `kms:Decrypt`.
    BIn the KMS Key Policy, add a statement allowing the audit team principal to perform `kms:DescribeKey`, `kms:GetKeyPolicy`, and `kms:ListGrants`. Do not add them to the statement allowing cryptographic operations.
    CUse a Grant to allow the audit team temporary access to describe the key.
    DEnable CloudTrail and give the audit team read-access to the CloudTrail S3 bucket only.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  2. Question 2Design High-Performing Architectures

    A developer wants to encrypt a 1 GB file before uploading it to S3, using a key stored in KMS. However, the `kms:Encrypt` API call fails because the data is too large. What is the correct approach (Envelope Encryption)?

    AUse the `kms:GenerateDataKey` API to get a plaintext key and an encrypted key. Use the plaintext key to encrypt the file locally, then discard the plaintext key and upload the encrypted file and encrypted key.
    BUse the `kms:ReEncrypt` API to handle large files.
    CCompress the file to under 4 KB before encrypting.
    DUpload the file to S3 first, then use S3 Batch Operations to encrypt it.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  3. Question 3Design Secure Architectures

    A compliance rule requires that data-at-rest uses envelope encryption with keys stored in KMS and that the KMS keys must never be accessible by AWS staff. Which statement is accurate and appropriate?

    AUse AWS-managed CMKs — these are fully inaccessible to AWS staff and meet the requirement.
    BUse a customer-managed CMK in your account (SSE-KMS) with automatic rotation; AWS staff cannot use customer-managed CMKs because the keys are inaccessible outside the HSMs and used only under your authorization (IAM/Key Policies).
    CStore keys in an EC2 instance and use OS-level encryption only.
    DUpload keys to an S3 bucket with public access restricted.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  4. Question 4Design Secure Architectures

    Company A needs to share encrypted S3 objects with Company B (different AWS account). Company B should be able to decrypt objects but not encrypt new ones or modify the key. How should the KMS key policy be configured?

    AAdd Company B's account ID to the key administrators section.
    BCreate a key policy statement allowing Company B's account `kms:Decrypt` only.
    CGenerate a presigned URL for Company B to access the encrypted objects.
    DShare the KMS key ARN with Company B for their IAM policies.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  5. Question 5Design Secure Architectures

    A financial application requires encryption key control with FIPS 140-2 Level 3 compliance and dedicated hardware with single-tenant access. Which AWS encryption service meets these requirements?

    AAWS KMS with Customer Managed Keys (CMK).
    BAWS CloudHSM with dedicated hardware security modules.
    CAWS KMS with Customer Provided Keys (external key material).
    DAWS Secrets Manager with automatic key rotation.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  6. Question 6Design Secure Architectures

    A healthcare company must encrypt data at rest using keys they manage and control, but AWS should handle the encryption/decryption process to minimize application changes. Which S3 encryption option balances control and operational simplicity?

    AServer-Side Encryption with S3-Managed Keys (SSE-S3).
    BServer-Side Encryption with Customer-Provided Keys (SSE-C).
    CServer-Side Encryption with KMS Customer Managed Keys (SSE-KMS).
    DClient-Side Encryption with customer-managed keys.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  7. Question 7Design Secure Architectures

    An application requires encryption of data at rest in S3 with full control over encryption keys and automatic key rotation. Which solution meets these requirements?

    AUse SSE-S3
    BUse SSE-KMS with customer managed CMK and automatic key rotation enabled
    CUse SSE-C
    DUse client-side encryption

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  8. Question 8Design Secure Architectures

    A company's security policy requires that all data stored in Amazon S3 must be encrypted at rest. The encryption keys must be managed by the company, and they need the ability to control access to the keys and audit their usage. Which S3 encryption option should be used?

    AServer-Side Encryption with S3-Managed Keys (SSE-S3)
    BServer-Side Encryption with Customer-Provided Keys (SSE-C)
    CServer-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
    DClient-Side Encryption

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  9. Question 9Mixed

    A healthcare provider requires that all data stored in Amazon S3 buckets be encrypted at rest and that encryption keys rotate automatically on an annual schedule. Which solution meets these compliance requirements with minimal management overhead?

    AEnable S3 default encryption with SSE-S3 and configure object-level lifecycle policies for rotation.
    BUse server-side encryption with customer-provided keys (SSE-C) and rotate the keys manually every year.
    CConfigure default encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS) and enable automatic key rotation.
    DUse client-side encryption in the application and upload objects with a new symmetric key each year.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  10. Question 10Mixed

    A compliance team mandates that encryption keys for sensitive data be separated by environment (dev, test, prod) and that key policies restrict use to the owning account. Which solution meets the requirement while minimizing operational overhead?

    ACreate one multi-tenant customer managed key (CMK) in AWS KMS and use key grants for each environment.
    BCreate separate customer managed keys in each account with key policies scoped to environment-specific IAM roles.
    CUse AWS owned KMS keys and enforce tagging to limit access.
    DStore symmetric keys as SecureString parameters in AWS Systems Manager Parameter Store.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  11. Question 11Design Secure Architectures

    A company stores sensitive customer data in Amazon S3. The data must be encrypted at rest and the company must have full control over the encryption keys, including the ability to rotate them. Which solution meets these requirements?

    AUse S3 server-side encryption with Amazon S3-managed keys (SSE-S3)
    BUse S3 server-side encryption with AWS KMS-managed keys (SSE-KMS)
    CUse S3 server-side encryption with customer-provided keys (SSE-C)
    DUse client-side encryption before uploading to S3

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  12. Question 12Design Secure Architectures

    A company must ensure that all data stored in Amazon S3 is encrypted and that encryption keys are rotated automatically every 90 days. The company must maintain an audit trail of key usage. Which solution meets these requirements?

    AUse SSE-S3 with S3 bucket policies
    BUse SSE-KMS with automatic key rotation enabled and CloudTrail logging
    CUse SSE-C with a custom key rotation script
    DUse client-side encryption with AWS Encryption SDK

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  13. Question 13Design Secure Architectures

    An application requires encryption of data at rest in DynamoDB with the ability to audit all encryption key usage. Which solution meets these requirements?

    AUse DynamoDB default encryption
    BUse DynamoDB encryption with AWS managed CMK
    CUse DynamoDB encryption with customer managed CMK in KMS and enable CloudTrail
    DUse client-side encryption

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  14. Question 14Design Secure Architectures

    A financial services company stores sensitive customer data in Amazon S3. Compliance regulations require that all objects be encrypted at rest using a key that the company generates and manages on-premises, but the encryption process should be handled by S3 to minimize application overhead. Which encryption option should the Architect choose?

    AServer-Side Encryption with Amazon S3-Managed Keys (SSE-S3).
    BServer-Side Encryption with AWS KMS keys (SSE-KMS) with a Customer Managed Key (CMK).
    CServer-Side Encryption with Customer-Provided Keys (SSE-C).
    DClient-Side Encryption with a master key stored in AWS KMS.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  15. Question 15Mixed

    An application requires all data at rest to be encrypted using keys that your company fully controls and can rotate on a custom schedule. Which AWS KMS key type should you use?

    AAWS owned key
    BAWS managed key
    CCustomer managed key
    DDefault EBS encryption key

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz

Key KMS Concepts for SAA-C03

kmsencryptionkeycmkenvelope encryptionkey rotationdecrypt

SAA-C03 KMS Exam Tips

AWS Key Management Service (KMS) questions in SAA-C03 are typically scenario-based. Focus on architecture trade-offs, resilience, and secure-by-default design choices. Priority concepts: kms, encryption, key, cmk, envelope encryption, key rotation.

What SAA-C03 Expects

  • Anchor your answer in choose the most reliable and cost-aware architecture pattern, not just a feature match.
  • KMS scenarios for SAA-C03 are frequently mapped to Domain 1 (30%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where KMS interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value KMS Concepts

  • Know the core KMS building blocks cold: kms, encryption, key, cmk.
  • Review the edge-case features and limits for envelope encryption, key rotation; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how KMS pairs with IAM, S3, EBS, RDS in real deployment patterns.
  • For SAA-C03, explain why the chosen KMS design meets reliability, security, and cost expectations better than the alternatives.

Common SAA-C03 Traps

  • Watch for answers that solve today's issue but do not scale across multiple AZs.
  • Questions in Design Secure Architectures often include distractors that look correct for KMS but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two KMS implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Design Secure Architectures (30%) outcomes for SAA-C03?
  • Can you explain security and access boundaries for KMS without relying on default-open assumptions?
  • Can you describe how KMS integrates with IAM and S3 during failure, scaling, and monitoring events?

Exam Domains Covering KMS

Domain 1Design Secure Architectures30%

Related Resources

🎯 Free SAA-C03 Mock Exam IAM Questions S3 Questions EBS Questions RDS Questions

More SAA-C03 Study Resources

← SAA-C03 Study Hub30-Day Study PlanFull Practice Exam