AWS Certified Security – Specialty — Question 86

A company plans to migrate a sensitive dataset to Amazon S3. A Security Engineer must ensure that the data is encrypted at rest. The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process.
What should the Security Engineer use to accomplish this?

Answer options

• A. Server-side encryption with Amazon S3-managed keys (SSE-S3)
• B. Server-side encryption with AWS KMS-managed keys (SSE-KMS)
• C. Server-side encryption with customer-provided keys (SSE-C)
• D. Client-side encryption with an AWS KMS-managed CMK

Correct answer: B

Explanation

The correct answer is B, as Server-side encryption with AWS KMS-managed keys (SSE-KMS) allows the company to generate its own keys while AWS manages the key storage and encryption process. Option A (SSE-S3) does not allow for custom key generation, while C (SSE-C) requires managing the keys, which is not what the company wants. Option D (Client-side encryption) involves encrypting data before it is sent to S3, which does not meet the requirement for server-side encryption.