AWS Certified Solutions Architect – Associate (SAA-C02) — Question 68

A company plans to store sensitive user data on Amazon S3. Internal security compliance requirement mandate encryption of data before sending it to Amazon
S3.
What should a solutions architect recommend to satisfy these requirements?

Answer options

• A. Server-side encryption with customer-provided encryption keys
• B. Client-side encryption with Amazon S3 managed encryption keys
• C. Server-side encryption with keys stored in AWS key Management Service (AWS KMS)
• D. Client-side encryption with a master key stored in AWS Key Management Service (AWS KMS)

Correct answer: D

Explanation

The correct answer is D because client-side encryption with a master key stored in AWS KMS ensures that the data is encrypted before it even reaches Amazon S3, thus complying with the requirement. Options A and C involve server-side encryption, which does not meet the requirement of encrypting data before it is sent to S3. Option B uses Amazon S3 managed encryption keys, which also does not provide the necessary control over encryption before data upload.