AWS Certified Solutions Architect – Associate (SAA-C03) — Question 819

A company runs an application in the AWS Cloud that generates sensitive archival data files. The company wants to rearchitect the application's data storage. The company wants to encrypt the data files and to ensure that third parties do not have access to the data before the data is encrypted and sent to AWS. The company has already created an Amazon S3 bucket.

Which solution will meet these requirements?

Answer options

• A. Configure the S3 bucket to use client-side encryption with an Amazon S3 managed encryption key. Configure the application to use the S3 bucket to store the archival files.
• B. Configure the S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). Configure the application to use the S3 bucket to store the archival files.
• C. Configure the S3 bucket to use dual-layer server-side encryption with AWS KMS keys (SSE-KMS). Configure the application to use the S3 bucket to store the archival files.
• D. Configure the application to use client-side encryption with a key stored in AWS Key Management Service (AWS KMS). Configure the application to store the archival files in the S3 bucket.

Correct answer: D

Explanation

To guarantee that third parties cannot access the data before it reaches AWS, encryption must occur on the client side before transmission. Option D achieves this by encrypting the files within the application using a customer master key stored in AWS KMS. Server-side encryption options (B and C) are incorrect because they encrypt the data only after it has arrived at the S3 bucket, leaving it vulnerable during transit if not encrypted client-side.