AWS Certified Developer – Associate — Question 282

A company must encrypt sensitive data that the company will store in Amazon S3. A developer must retain total control over the company's AWS Key Management Service (AWS KMS) key and the company’s data keys. The company currently uses an on-premises hardware security module (HSM) solution. The company wants to move its key management onto AWS.

Which solution will meet these requirements?

Answer options

• A. Implement server-side encryption with AWS KMS managed keys (SSE-KMS). Use AWS CloudHSM to generate the KMS key and data keys to use with AWS KMS.
• B. Implement server-side encryption with customer-provided encryption keys (SSE-C). Use AWS CloudHSM to generate the KMS key and manage the data keys that the company will use to read and write objects to Amazon S3.
• C. Implement server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Use AWS CloudHSM to generate the KMS key and manage the data keys that the company will use to read and write objects to Amazon S3.
• D. Implement server-side encryption with AWS KMS managed keys (SSE-KMS). Use the AWS KMS custom key store feature to manage the data keys. Then read or write objects to Amazon S3 as normal.

Correct answer: B

Explanation

Server-side encryption with customer-provided keys (SSE-C) gives the customer full ownership and control over the encryption keys, which aligns with the requirement to manage keys using AWS CloudHSM. Other options like SSE-KMS and SSE-S3 delegate key management and lifecycle actions to AWS, which does not satisfy the requirement for the developer to retain total control of both the KMS and data keys.