The correct answers are: Store the documents in Amazon S3 with Object Lock enabled in compliance mode and use server-side encryption with AWS KMS and a customer managed key that has automatic key rotation enabled.

S3 Object Lock in compliance mode ensures that objects cannot be deleted or overwritten for a defined retention period, even by AWS root users. This satisfies the regulatory requirement for immutability over the five-year contract period. Governance mode, by contrast, can be bypassed by users with special permissions, making it unsuitable for strict compliance use cases.

AWS KMS with customer managed keys supports automatic key rotation annually. By using SSE-KMS with customer-managed keys, the organization retains full control over the encryption lifecycle while benefiting from automatic key rotation, meeting security and compliance objectives with minimal manual work.

Why the other options are incorrect:

S3 Object Lock in governance mode provides write-once-read-many (WORM) protection but can be overridden by users with sufficient IAM permissions, making it less secure than compliance mode for regulatory use cases where strict immutability is required.

Using SSE-S3 (Amazon S3 managed keys) does not allow customer control over key rotation, and AWS rotates these keys at its own discretion without user-configurable scheduling, making it unsuitable when annual rotation is mandated.

Using KMS with customer-provided (imported) keys requires you to manually rotate and manage the lifecycle of those keys. This significantly increases operational overhead, which violates the requirement for a low-maintenance solution.

Why this question matters: It tests a candidate's knowledge of secure data storage in S3, encryption strategies, key rotation, and regulatory compliance enforcement. Understanding the difference between governance and compliance mode is especially important for high-stakes environments like healthcare and finance.

Tip: When you see requirements around immutability, retention policies, or legal holds, consider S3 Object Lock. If you see key rotation or fine-grained control mentioned, AWS KMS with customer-managed keys is the likely solutionespecially when automation and minimal overhead are required.

Full AWS Practitioner Certification Question