AWS Certified Solutions Architect – Associate (SAA-C03) — Question 657

A company needs to provide customers with secure access to its data. The company processes customer data and stores the results in an Amazon S3 bucket.

All the data is subject to strong regulations and security requirements. The data must be encrypted at rest. Each customer must be able to access only their data from their AWS account. Company employees must not be able to access the data.

Which solution will meet these requirements?

Answer options

• A. Provision an AWS Certificate Manager (ACM) certificate for each customer. Encrypt the data client-side. In the private certificate policy, deny access to the certificate for all principals except an IAM role that the customer provides.
• B. Provision a separate AWS Key Management Service (AWS KMS) key for each customer. Encrypt the data server-side. In the S3 bucket policy, deny decryption of data for all principals except an IAM role that the customer provides.
• C. Provision a separate AWS Key Management Service (AWS KMS) key for each customer. Encrypt the data server-side. In each KMS key policy, deny decryption of data for all principals except an IAM role that the customer provides.
• D. Provision an AWS Certificate Manager (ACM) certificate for each customer. Encrypt the data client-side. In the public certificate policy, deny access to the certificate for all principals except an IAM role that the customer provides.

Correct answer: C

Explanation

Using a dedicated AWS KMS key per customer with a key policy that restricts decryption to only the customer's IAM role ensures that even S3-privileged company employees cannot access the plaintext data. S3 bucket policies cannot directly manage KMS decryption permissions, making KMS key policies the correct enforcement point for key access. ACM certificates are designed for securing network transit (SSL/TLS) and are not appropriate for managing data-at-rest encryption in Amazon S3.