AWS Certified Developer – Associate — Question 162

A software company must ensure that documents that are uploaded by users are securely stored in Amazon S3. The documents must be encrypted at rest in Amazon S3. The company wants to avoid client-side encryption and does not want to manage the security infrastructure. In addition, the company wants control over the keys that are used for encryption at rest.

Which solution for encryption keys should a developer use to meet these requirements?

Answer options

• A. Amazon S3 managed keys
• B. Application-level encryption with customer-provided encryption keys that are stored in an on-premises hardware security module (HSM)
• C. AWS Key Management Service (AWS KMS) customer managed keys
• D. IAM access keys

Correct answer: C

Explanation

The correct answer is C, AWS Key Management Service (AWS KMS) customer managed keys, because it allows the company to manage the encryption keys while providing server-side encryption without the need for client-side management. Option A, Amazon S3 managed keys, does not give the company control over the keys. Option B involves managing an on-premises HSM, which contradicts the requirement to avoid managing security infrastructure. Option D, IAM access keys, are used for access control and not for encryption key management.