AWS Certified Solutions Architect – Associate (SAA-C02) — Question 404

A company is using a centralized AWS account to store log data in various Amazon S3 buckets. A solutions architect needs to ensure that the data is encrypted at rest before the data is uploaded to the S3 buckets. The data also must be encrypted in transit.
Which solution meets these requirements?

Answer options

• A. Use client-side encryption to encrypt the data that is being uploaded to the S3 buckets.
• B. Use server-side encryption to encrypt the data that is being uploaded to the S3 buckets.
• C. Create bucket policies that require the use of server-side encryption with S3 managed encryption keys (SSE-S3) for S3 uploads.
• D. Enable the security option to encrypt the S3 buckets through the use of a default AWS Key Management Service (AWS KMS) key.

Correct answer: A

Explanation

Client-side encryption ensures that data is encrypted locally on the sender's side before being uploaded, satisfying the requirement for pre-upload encryption at rest while also protecting the data in transit. Server-side encryption methods (such as SSE-S3 or SSE-KMS) only encrypt the data after it reaches the S3 bucket, which does not meet the requirement of being encrypted at rest prior to upload.