AWS Certified Developer – Associate — Question 111

A developer uses server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to store data in Amazon S3. The developer needs to decrypt and download the encrypted objects by using the GetObject API call.

What is the LEAST amount of information that the developer must provide in the API call to meet this requirement?

Answer options

• A. The S3 object key only
• B. The S3 object key and the encryption key
• C. The S3 object key and the Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS) key
• D. The S3 object key and a randomly salted Hash-based Message Authentication Code (HMAC) value of the encryption key

Correct answer: A

Explanation

The correct answer is A because when using SSE-S3, the encryption and decryption processes are handled by Amazon S3, and only the S3 object key is required to access the encrypted object. The other options incorrectly suggest that additional information, such as the encryption key or KMS ARN, is necessary, which is not the case for SSE-S3.