AWS Certified Developer – Associate (DVA-C02) — Question 472

A developer is creating a new application that will give users the ability to upload documents to Amazon S3. The contents of the documents must not be accessible to any third party.

Which type of encryption will meet this requirement?

Answer options

• A. Client-side encryption by using the S3 Encryption Client with a Raw RSA wrapping key that is stored on the user’s device
• B. Server-side encryption with S3 managed keys (SSE-S3)
• C. Server-side encryption with AWS KMS keys (SSE-KMS)
• D. Dual-layer server-side encryption with AWS KMS keys (DSSE-KMS)

Correct answer: C

Explanation

Server-side encryption with AWS KMS keys (SSE-KMS) provides robust security by using customer master keys to encrypt S3 objects, allowing fine-grained access control via KMS key policies to prevent unauthorized third-party access. SSE-S3 does not offer the same level of granular access control and auditing, while DSSE-KMS is a dual-layer encryption standard typically reserved for highly specific compliance needs. Client-side encryption with raw RSA keys is overly complex and less manageable for this scenario.