AWS Certified Developer – Associate (DVA-C02) — Question 26

A developer has an application that stores data in an Amazon S3 bucket. The application uses an HTTP API to store and retrieve objects. When the PutObject API operation adds objects to the S3 bucket the developer must encrypt these objects at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3).
Which solution will meet this requirement?

Answer options

• A. Create an AWS Key Management Service (AWS KMS) key. Assign the KMS key to the S3 bucket.
• B. Set the x-amz-server-side-encryption header when invoking the PutObject API operation.
• C. Provide the encryption key in the HTTP header of every request.
• D. Apply TLS to encrypt the traffic to the S3 bucket.

Correct answer: B

Explanation

The correct answer is B because setting the x-amz-server-side-encryption header during the PutObject API call instructs Amazon S3 to use SSE-S3 for encrypting the objects at rest. Option A is incorrect as using a KMS key is not necessary for SSE-S3. Option C is wrong since SSE-S3 does not require providing an encryption key in the request headers. Option D is also incorrect because applying TLS encrypts data in transit, not at rest.