Task Statement 1.3: Determine appropriate data security controls.
📘AWS Certified Solutions Architect – (SAA-C03)
Introduction
In AWS, protecting data is not just about encrypting it once. You must also:
- Rotate encryption keys
- Renew SSL/TLS certificates
If you do not rotate keys or renew certificates:
- Old keys may become compromised
- Certificates may expire
- Applications may stop working
- Security compliance requirements may not be met
For the SAA-C03 exam, you must understand:
- Why rotation and renewal are important
- How AWS handles key rotation
- How certificate renewal works
- When manual action is required
- Best practices and common exam traps
Part 1: Rotating Encryption Keys
1. What Is Encryption Key Rotation?
Encryption key rotation means:
Replacing an old encryption key with a new one while keeping data secure and accessible.
Instead of using the same key forever, AWS creates a new version of the key periodically.
Key rotation reduces risk because:
- If a key is compromised, damage is limited
- Long-term exposure is reduced
- It meets security compliance standards (PCI-DSS, HIPAA, etc.)
2. AWS Service for Key Management
The main service used is:
AWS Key Management Service
AWS KMS allows you to:
- Create encryption keys (Customer Managed Keys – CMKs)
- Control who can use them
- Rotate keys automatically
- Audit usage using CloudTrail
3. Types of KMS Keys (Important for Exam)
1️⃣ AWS Managed Keys
- Automatically created by AWS services
- Automatically rotated every year
- You cannot control rotation schedule
Example:
- Amazon S3 encryption (SSE-KMS)
- EBS encryption
- RDS encryption
2️⃣ Customer Managed Keys (CMKs)
- Created and controlled by you
- Rotation can be enabled manually
- Rotation happens once per year (automatic option)
- You control key policies
Exam Tip:
If a question says:
“The company needs control over key rotation and access policies”
Answer: Customer Managed Key
3️⃣ Imported Keys (Bring Your Own Key – BYOK)
- You import your own key material into KMS
- AWS does NOT rotate it automatically
- You must rotate manually
Exam Trap:
If the question says:
“Company uses imported key material and needs automatic rotation”
Answer: Not possible automatically — must rotate manually
4. How Automatic Key Rotation Works in KMS
When you enable rotation:
- AWS creates a new backing key every year
- The key ID stays the same
- Applications do NOT need to change anything
- Old data remains encrypted with older versions
- New data uses the newest key version
This is called key versioning.
Very important for exam:
Rotation does NOT re-encrypt existing data automatically.
Old data remains encrypted with old key versions, but AWS keeps those versions available.
5. Manual Key Rotation (When Required)
Manual rotation is needed when:
- Using imported key material
- Changing cryptographic standards
- Meeting strict compliance rules
Manual rotation steps:
- Create a new key
- Update applications to use the new key
- Re-encrypt old data (if required)
- Disable or schedule deletion of old key
6. Key Deletion (Exam Focus)
In AWS Key Management Service:
- Minimum deletion waiting period = 7 days
- Maximum = 30 days
- After deletion → data encrypted with that key becomes unrecoverable
Exam Question Pattern:
Company accidentally scheduled key deletion. What can they do?
Answer:
Cancel deletion during waiting period.
7. Monitoring Key Usage
Use:
AWS CloudTrail
CloudTrail logs:
- Who used the key
- When it was used
- What API call was made
This helps detect suspicious activity.
Part 2: Renewing SSL/TLS Certificates
Now let’s discuss certificates.
1. What Is a Certificate?
An SSL/TLS certificate:
- Encrypts data in transit
- Proves server identity
- Prevents man-in-the-middle attacks
Certificates expire (usually after 1 year).
If expired:
- HTTPS stops working
- Browsers show security warning
- Applications fail
2. AWS Service for Certificates
Main service:
AWS Certificate Manager
ACM allows you to:
- Request public certificates
- Import certificates
- Automatically renew supported certificates
- Attach certificates to:
- Elastic Load Balancers
- CloudFront
- API Gateway
3. Automatic Certificate Renewal (Important)
ACM automatically renews:
- Public certificates issued by ACM
- Certificates that are:
- In use
- Validated (DNS validation preferred)
If using DNS validation:
- Renewal is fully automatic
Exam Tip:
If question says:
“Company wants fully automated certificate renewal”
Answer:
Use ACM with DNS validation
4. Imported Certificates
If you import certificates into ACM:
- AWS does NOT renew them
- You must:
- Track expiration
- Renew manually
- Re-import
Exam Trap:
“Company imports third-party certificate and wants automatic renewal”
Answer:
Not possible. Must manage manually or use ACM-issued certificate.
5. Certificate Expiration Monitoring
You can monitor certificate expiration using:
- Amazon EventBridge
- CloudWatch
- AWS Health Dashboard
ACM also sends expiration reminders.
6. Certificates and Load Balancers
Certificates are commonly attached to:
- Application Load Balancer (ALB)
- Network Load Balancer (NLB)
- CloudFront
When certificate renews:
- No downtime
- No application restart needed
Key Differences for Exam
| Topic | Key Rotation | Certificate Renewal |
|---|---|---|
| Protects | Data at rest | Data in transit |
| Service | AWS KMS | AWS Certificate Manager |
| Automatic Option | Yes (for CMK) | Yes (ACM-issued certs) |
| Imported Material | Manual | Manual |
| Affects Old Data | No re-encryption | Not applicable |
| Expiration Risk | No expiry | Certificates expire |
Important Exam Scenarios
Scenario 1
Requirement:
- Encrypt S3 data
- Automatic yearly rotation
- Full control
Answer:
- Use Customer Managed Key in KMS
- Enable automatic rotation
Scenario 2
Requirement:
- HTTPS website
- No downtime
- Automatic certificate renewal
Answer:
- Use ACM-issued certificate
- Use DNS validation
Scenario 3
Requirement:
- Strict compliance
- On-premises key material
- Controlled lifecycle
Answer:
- Import key material into KMS
- Manual rotation process required
Best Practices for SAA-C03
- Enable automatic rotation for CMKs
- Use ACM-issued certificates when possible
- Use DNS validation for auto renewal
- Monitor key usage with CloudTrail
- Avoid long-term use of static keys
- Never delete KMS key without understanding impact
- Plan certificate renewal before expiration
Common Exam Traps
❌ Thinking rotation re-encrypts old data automatically
❌ Thinking imported certificates auto-renew
❌ Forgetting key deletion waiting period
❌ Not knowing AWS-managed keys rotate automatically
❌ Confusing encryption at rest vs in transit
Final Summary
For the SAA-C03 exam, remember:
Encryption Keys (Data at Rest)
- Managed by AWS KMS
- Customer Managed Keys support automatic yearly rotation
- Imported keys require manual rotation
- Rotation does not re-encrypt existing data
- Key deletion has 7–30 day waiting period
Certificates (Data in Transit)
- Managed by AWS Certificate Manager
- ACM-issued certificates auto-renew
- Imported certificates must be renewed manually
- DNS validation allows full automation
