AWS Certified SysOps Administrator – Associate (legacy) — Question 346

A system admin is planning to encrypt all objects being uploaded to S3 from an application. The system admin does not want to implement his own encryption algorithm; instead he is planning to use server side encryption by supplying his own key (SSE-C). Which parameter is not required while making a call for SSE-C?

Answer options

• A. x-amz-server-side-encryption-customer-key-AES-256
• B. x-amz-server-side-encryption-customer-key
• C. x-amz-server-side-encryption-customer-algorithm
• D. x-amz-server-side-encryption-customer-key-MD5

Correct answer: A

Explanation

When using SSE-C, Amazon S3 requires three specific headers in the request: the encryption algorithm (x-amz-server-side-encryption-customer-algorithm), the 256-bit base64-encoded encryption key (x-amz-server-side-encryption-customer-key), and the MD5 digest of the encryption key (x-amz-server-side-encryption-customer-key-MD5) to verify its integrity. The parameter 'x-amz-server-side-encryption-customer-key-AES-256' is not a valid or required header for SSE-C operations.