AWS Certified Solutions Architect – Associate (SAA-C02) — Question 33

A company is planning to use Amazon S3 to store images uploaded by its users. The images must be encrypted at rest in Amazon S3. The company does not want to spend time managing and rotating the keys, but it does want to control who can access those keys.
What should a solutions architect use to accomplish this?

Answer options

• A. Server-Side Encryption with keys stored in an S3 bucket
• B. Server-Side Encryption with Customer-Provided Keys (SSE-C)
• C. Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
• D. Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)

Correct answer: D

Explanation

The correct option is D, as Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) allows the company to manage access to the encryption keys without the overhead of key management. Option A is incorrect because storing keys in an S3 bucket does not provide the desired key management and access control. Option B, using Customer-Provided Keys (SSE-C), requires the company to manage and rotate the keys, which they want to avoid. Option C, SSE-S3, does not provide the level of access control over the keys that the company requires.