AWS Certified Developer – Associate — Question 401

An application needs to encrypt data that is written to Amazon S3 where the keys are managed in an on-premises data center, and the encryption is handled by
S3.
Which type of encryption should be used?

Answer options

• A. Use server-side encryption with Amazon S3-managed keys.
• B. Use server-side encryption with AWS KMS-managed keys.
• C. Use client-side encryption with AWS KMS-managed keys.
• D. Use server-side encryption with customer-provided keys.

Correct answer: D

Explanation

Server-side encryption with customer-provided keys (SSE-C) is the correct choice because it allows Amazon S3 to handle the encryption and decryption processes while the user retains full management of the keys in their own on-premises infrastructure. Options A and B are incorrect because the keys would be managed by AWS, not on-premises. Option C is incorrect because client-side encryption requires the client application to perform the encryption, rather than Amazon S3.