AWS Certified Solutions Architect – Associate (SAA-C03) — Question 233

A company is using a centralized AWS account to store log data in various Amazon S3 buckets. A solutions architect needs to ensure that the data is encrypted at rest before the data is uploaded to the S3 buckets. The data also must be encrypted in transit.

Which solution meets these requirements?

Answer options

• A. Use client-side encryption to encrypt the data that is being uploaded to the S3 buckets.
• B. Use server-side encryption to encrypt the data that is being uploaded to the S3 buckets.
• C. Create bucket policies that require the use of server-side encryption with S3 managed encryption keys (SSE-S3) for S3 uploads.
• D. Enable the security option to encrypt the S3 buckets through the use of a default AWS Key Management Service (AWS KMS) key.

Correct answer: A

Explanation

The correct answer is A because client-side encryption ensures that the data is encrypted before it leaves the client machine, meeting the requirement for encryption at rest and in transit. Options B and C involve server-side encryption, which does not address the requirement for encryption before uploading. Option D focuses on bucket-level encryption rather than ensuring the data is encrypted before it is sent.