🔑 AWS Key Management Service (KMS) - SOA-C03 Practice Questions

Study KMS keys, key policies, grants, rotation, envelope encryption, multi-Region keys, and troubleshooting encrypted AWS resources.

20Questions Available
1Exam Domains

Practice KMS Questions Now

Start a timed practice session focusing on AWS Key Management Service (KMS) topics from the SOA-C03 question bank.

Start SOA-C03 Practice Quiz →

SOA-C03 KMS Question Bank (20 Questions)

Browse all 20 practice questions covering AWS Key Management Service (KMS) for the SOA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Select All That ApplySecurity & Compliance

    A SysOps Administrator needs to grant a Lambda function access to decrypt data using a KMS Customer Managed Key (CMK). The KMS key policy currently only allows the key administrator to manage the key. Which changes are required to allow the Lambda function to use the key for decryption? (Select TWO.)

    AAdd a statement to the KMS key policy that allows the Lambda function's execution role to perform `kms:Decrypt`.
    BAttach an IAM policy to the Lambda function's execution role that allows `kms:Decrypt` on the KMS key ARN.
    CAdd the Lambda function's execution role as a key administrator in the KMS key policy.
    DEnable KMS automatic key rotation, which grants all IAM roles decrypt access.
    EShare the KMS key using AWS Resource Access Manager (RAM) with the Lambda function's account.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  2. Question 2Security & Compliance

    A SysOps Administrator needs to grant a partner application temporary permission to encrypt and decrypt data using a specific KMS key for a 24-hour window. The partner application is running as an IAM role in a different AWS account. The administrator does not want to modify the KMS key policy permanently. Which KMS feature should be used?

    ACreate a KMS grant for the partner's IAM role ARN with `Encrypt` and `Decrypt` operations, and set a retirement constraint tied to a time-based condition.
    BAdd the partner's IAM role to the KMS key policy with a condition limiting access to 24 hours, then manually remove it after.
    CShare the KMS key with the partner account using AWS Resource Access Manager (RAM).
    DExport the KMS key material and share it with the partner for 24 hours.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  3. Question 3Security & Compliance

    A company has a policy that requires all S3 objects to be encrypted at rest using AWS KMS keys managed by the company (SSE-KMS). A SysOps administrator needs to enforce this requirement so that any upload without the correct encryption header is denied. What should the administrator do?

    AAdd an S3 bucket policy with a `Deny` statement that checks `s3:x-amz-server-side-encryption` is not equal to `aws:kms` on `s3:PutObject` actions.
    BEnable default encryption on the S3 bucket with SSE-KMS and rely on it to encrypt all objects automatically.
    CConfigure an AWS Config rule to detect unencrypted objects and set up automatic remediation to re-encrypt them.
    DCreate an IAM policy for all users that adds a condition key requiring SSE-KMS on all S3 PUT operations.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  4. Question 4Security & Compliance

    A SysOps Administrator manages KMS customer managed keys (CMKs). The security team requires that keys be rotated annually. The administrator has two types of keys: one CMK created with AWS-generated key material and one CMK created with imported key material. Which statement about KMS key rotation is correct?

    ABoth key types support automatic annual rotation; enable it once in the KMS console.
    BThe CMK with AWS-generated key material supports automatic annual rotation. The CMK with imported key material does NOT support automatic rotation — it must be rotated manually by creating a new CMK, re-importing new material, and updating the alias.
    CNeither key type supports automatic rotation; both require manual rotation.
    DAutomatic rotation is only available for AWS managed keys (`aws/*`), not for customer managed keys.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  5. Question 5Security & Compliance

    An administrator needs to implement automatic KMS key rotation for a customer-managed symmetric KMS key used to encrypt EBS volumes. Which statement about KMS automatic key rotation is correct?

    AWhen automatic rotation is enabled, KMS generates new key material annually by default, but old key material is retained indefinitely to decrypt previously encrypted data
    BKMS automatic rotation changes the key ID and ARN after each rotation, requiring updates to all resource policies
    CKMS automatic rotation is only supported for asymmetric keys
    DAutomatic rotation immediately re-encrypts all existing EBS volumes with the new key material

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  6. Question 6Security & Compliance

    A company stores sensitive customer data in S3 and uses AWS KMS for encryption. The security team wants to ensure that a specific KMS key can only be used for cryptographic operations when the request originates from the company's VPC. Which approach achieves this?

    AAttach a VPC endpoint policy that allows KMS operations only from the VPC
    BAdd a condition in the KMS key policy using `aws:sourceVpce` or `aws:sourceVpc` condition keys
    CConfigure the S3 bucket policy to deny access from outside the VPC
    DUse a KMS grant with a VPC constraint

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  7. Question 7Security and Compliance

    A SysOps administrator wants to enforce that all new KMS keys created in an account have automatic key rotation enabled. Which mechanism prevents the creation of keys without rotation?

    AAWS Config rule (cmk-backing-key-rotation-enabled) to detect and remediate
    BSCP denying kms:CreateKey
    CIAM policy condition requiring rotation
    DKMS key policy requiring rotation

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  8. Question 8Security and Compliance

    A SysOps administrator uses KMS for EBS volume encryption. What happens to data in an encrypted EBS volume if the KMS key is deleted?

    AThe data becomes permanently inaccessible once the key is deleted
    BEBS automatically creates a new key for decryption
    CThe data is automatically decrypted and stored unencrypted
    DAWS recovers the key from a backup

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  9. Question 9Select All That ApplySecurity & Compliance

    A SysOps administrator needs to grant an EC2 instance temporary access to a secret stored in AWS Secrets Manager. The secret is encrypted with a customer-managed KMS key. What permissions must the EC2 instance's IAM role have? (Select TWO)

    A`secretsmanager:GetSecretValue` on the specific secret ARN
    B`kms:Decrypt` on the KMS key used to encrypt the secret
    C`secretsmanager:DescribeSecret` on all secrets in the account
    D`kms:GenerateDataKey` on the KMS key used to encrypt the secret
    E`sts:AssumeRole` on the Secrets Manager service role

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  10. Question 10Security & Compliance

    A SysOps administrator is configuring AWS KMS for a team's application. The application needs to encrypt large files (multiple GB). The administrator needs to ensure the encryption is efficient and follows AWS best practices. Which encryption approach should the administrator recommend?

    AUse envelope encryption: generate a data encryption key (DEK) from KMS, use the plaintext DEK to encrypt the data locally, and store the encrypted DEK alongside the encrypted data.
    BCall the KMS `Encrypt` API directly, passing the entire file as the plaintext parameter.
    CUse the KMS `GenerateRandom` API to create a key, encrypt the file locally, and store the key in Secrets Manager.
    DCreate a KMS key with a 4 KB key spec to handle large file encryption natively.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  11. Question 11Security & Compliance

    A company has a regulatory requirement that encryption keys must be stored in FIPS 140-2 Level 3 validated hardware and the company must have exclusive control over the key material. Which AWS service meets this requirement?

    AAWS KMS with a customer managed key
    BAWS KMS with an AWS managed key
    CAWS CloudHSM
    DAWS Certificate Manager private CA

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  12. Question 12Security & Compliance

    A company handles sensitive financial data across multiple AWS regions. They encrypt data with KMS Customer Managed Keys and need to decrypt the data in a secondary region during disaster recovery without transferring plaintext keys across regions. Which KMS feature addresses this requirement?

    ACreate a new KMS key in the secondary region and re-encrypt all data with the new key during DR.
    BUse KMS multi-region keys, which replicate the same key material across selected regions, allowing encryption in one region and decryption in another.
    CExport the KMS key material from the primary region and import it into a key in the secondary region.
    DUse AWS CloudHSM with a cross-region cluster to share key material.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  13. Question 13Security & Compliance

    A SysOps Administrator needs to share a KMS Customer Managed Key with a different AWS account so that the other account can encrypt and decrypt data using that key. Which configuration is required on the KMS key?

    AEnable KMS multi-region key replication to the other account's region.
    BAdd a key policy statement that grants the other account's root principal (or specific roles) `kms:Encrypt` and `kms:Decrypt` permissions on the key, and the target account must also have an IAM policy allowing the same actions.
    CShare the KMS key using AWS Resource Access Manager (RAM).
    DExport the key material and send it to the other account for import into their own KMS key.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  14. Question 14Security & Compliance

    A SysOps Administrator needs to enforce that S3 objects uploaded to a specific bucket are always encrypted with a particular KMS key. Any upload that does not specify this KMS key must be rejected. Which S3 configuration enforces this?

    AEnable S3 default encryption with the KMS key and rely on it to encrypt all objects.
    BAdd a bucket policy with a `Deny` statement for `s3:PutObject` where the condition `s3:x-amz-server-side-encryption-aws-kms-key-id` does not equal the required KMS key ARN.
    CEnable S3 Object Lock, which requires KMS encryption on all objects.
    DConfigure AWS Config with the `s3-bucket-server-side-encryption-enabled` rule to flag non-compliant uploads.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  15. Question 15Security & Compliance

    A SysOps Administrator discovers that the KMS key used to encrypt an S3 bucket has been accidentally scheduled for deletion (7-day waiting period). Objects in the bucket will become permanently inaccessible if the key is deleted. What should the administrator do IMMEDIATELY?

    ACancel the key deletion using the `CancelKeyDeletion` API, which returns the key to the `Disabled` state, then re-enable it.
    BCreate a new KMS key and re-encrypt all objects before the deletion completes.
    CContact AWS Support to recover the key after it has been deleted.
    DRestore the key from a KMS key backup.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  16. Question 16Security & Compliance

    A SysOps administrator needs to rotate the customer-managed KMS key used to encrypt an Amazon RDS database. After rotating the key, the administrator notices that existing data is still accessible. What explains this behavior?

    AKMS key rotation creates new key material but retains old key material for decryption of previously encrypted data
    BRDS re-encrypts all data with the new key material during the rotation
    CThe administrator must manually re-encrypt the database using a snapshot and restore
    DKMS key rotation only affects newly created RDS instances

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  17. Question 17Select All That ApplySecurity & Compliance

    A SysOps administrator discovers that a KMS customer-managed key used for encrypting sensitive data was scheduled for deletion with the minimum 7-day waiting period. The team needs to implement preventive measures to avoid this in the future. (Select TWO.)

    ACreate a CloudWatch alarm on the KMS `KeyDeletion` CloudTrail event and configure an EventBridge rule to trigger a Lambda function that cancels the key deletion
    BApply an SCP that denies `kms:ScheduleKeyDeletion` for all principals except a specific break-glass role
    CEnable KMS key auto-recovery, which automatically cancels scheduled deletions after 48 hours
    DSet the minimum deletion waiting period to 30 days using a KMS key policy condition
    EUse AWS Config rule `kms-key-deletion-disabled` to prevent key deletion scheduling

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  18. Question 18Security & Compliance

    A SysOps administrator wants to ensure that all CloudTrail log files are encrypted at rest using a customer-managed KMS key. After configuring the trail to use a CMK, the administrator notices that some users can no longer read the log files from the S3 bucket. What is the MOST likely cause?

    AThe users' IAM policies do not include `kms:Decrypt` permission for the CMK used to encrypt the CloudTrail log files
    BThe S3 bucket policy was automatically updated to deny read access when CMK encryption was enabled
    CCloudTrail requires a separate IAM role for encrypted log delivery, which was not configured
    DThe KMS key policy does not allow the S3 service principal to use the key for encryption

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  19. Question 19Security & Compliance

    A company operates in three AWS Regions and wants to use a single KMS key to encrypt data across all Regions without cross-Region API calls for cryptographic operations. What should the SysOps administrator configure?

    ACreate a KMS key in one Region and use cross-Region key policies to allow access from other Regions
    BCreate a KMS multi-Region key and replicate it to the other two Regions
    CCreate separate KMS keys in each Region and use an alias with the same name
    DUse AWS CloudHSM with a cluster spanning three Regions

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  20. Question 20Security & Compliance

    A SysOps administrator has configured a KMS multi-Region primary key in us-east-1 and replicated it to eu-west-1. An application in eu-west-1 encrypts data using the replica key. The administrator needs to decrypt this data in us-east-1. Which statement is true?

    AThe data must be decrypted in eu-west-1 and re-encrypted with the us-east-1 primary key
    BThe data can be decrypted in us-east-1 using the primary key because multi-Region keys share the same key material
    CThe data must be copied to eu-west-1 for decryption because the ciphertext is Region-bound
    DThe data can only be decrypted by making a cross-Region KMS API call to eu-west-1

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz

Key KMS Concepts for SOA-C03

kmskeyencryptionkey policygrantrotationenvelope encryptionmulti-region key

SOA-C03 KMS Exam Tips

AWS Key Management Service (KMS) questions in SOA-C03 are typically scenario-based. Focus on operations, observability, incident response, and automated remediation. Priority concepts: kms, key, encryption, key policy, grant, rotation.

What SOA-C03 Expects

  • Anchor your answer in prioritize operational visibility and repeatable runbook-ready automation.
  • KMS scenarios for SOA-C03 are frequently mapped to Domain 4 (16%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where KMS interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value KMS Concepts

  • Know the core KMS building blocks cold: kms, key, encryption, key policy.
  • Review the edge-case features and limits for grant, rotation; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how KMS pairs with IAM, S3, EBS, RDS in real deployment patterns.
  • For SOA-C03, explain why the chosen KMS design meets reliability, security, and cost expectations better than the alternatives.

Common SOA-C03 Traps

  • Watch for answers that deploy quickly but are hard to monitor or recover.
  • Questions in Security and Compliance often include distractors that look correct for KMS but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two KMS implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Security and Compliance (16%) outcomes for SOA-C03?
  • Can you explain security and access boundaries for KMS without relying on default-open assumptions?
  • Can you describe how KMS integrates with IAM and S3 during failure, scaling, and monitoring events?

Exam Domains Covering KMS

Domain 4Security and Compliance16%

Related Resources

🎯 Free SOA-C03 Mock Exam IAM Questions S3 Questions EBS Questions RDS Questions

More SOA-C03 Study Resources

← SOA-C03 Study Hub30-Day Study PlanFull Practice Exam