AWS Certified Solutions Architect – Associate (SAA-C03) — Question 762

A financial company needs to handle highly sensitive data. The company will store the data in an Amazon S3 bucket. The company needs to ensure that the data is encrypted in transit and at rest. The company must manage the encryption keys outside the AWS Cloud.

Which solution will meet these requirements?

Answer options

• A. Encrypt the data in the S3 bucket with server-side encryption (SSE) that uses an AWS Key Management Service (AWS KMS) customer managed key.
• B. Encrypt the data in the S3 bucket with server-side encryption (SSE) that uses an AWS Key Management Service (AWS KMS) AWS managed key.
• C. Encrypt the data in the S3 bucket with the default server-side encryption (SSE).
• D. Encrypt the data at the company's data center before storing the data in the S3 bucket.

Correct answer: D

Explanation

To satisfy the requirement of keeping encryption keys entirely outside the AWS Cloud, the company must encrypt the data at their own data center (client-side encryption) before uploading it to Amazon S3. Options A, B, and C all use server-side encryption (SSE), which processes encryption and stores keys within AWS. Client-side encryption also inherently ensures the data is encrypted both in transit and at rest.