AWS Certified SysOps Administrator – Associate (legacy) — Question 124

A storage admin wants to encrypt all the objects stored in S3 using server side encryption. The user does not want to use the AES 256 encryption key provided by
S3. How can the user achieve this?

Answer options

• A. The admin should upload his secret key to the AWS console and let S3 decrypt the objects
• B. The admin should use CLI or API to upload the encryption key to the S3 bucket. When making a call to the S3 API mention the encryption key URL in each request
• C. S3 does not support client supplied encryption keys for server side encryption
• D. The admin should send the keys and encryption algorithm with each API call

Correct answer: D

Explanation

The correct answer is D because when using client-side encryption, the administrator must include the encryption keys and the algorithm used with each API call to ensure that S3 can properly encrypt and decrypt the objects. Option A is incorrect as S3 does not allow uploading secret keys to the console for decryption. Option B is wrong because while S3 does allow client-managed keys, it does not involve uploading keys via an encryption key URL. Option C is also incorrect since S3 does support client-supplied keys, but the admin must provide them with each request.