AWS Certified SysOps Administrator – Associate (legacy) — Question 376

A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at rest. If the user is supplying his own keys for encryption (SSE-
C), what is recommended to the user for the purpose of security?

Answer options

• A. The user should not use his own security key as it is not secure
• B. Configure S3 to rotate the user's encryption key at regular intervals
• C. Configure S3 to store the user's keys securely with SSL
• D. Keep rotating the encryption key manually at the client side

Correct answer: D

Explanation

When using Server-Side Encryption with Customer-Provided Keys (SSE-C), Amazon S3 does not store or manage the cryptographic keys. Because AWS only uses the key for the cryptographic operation and then discards it, the responsibility for managing and rotating these keys lies entirely with the client. Therefore, the client must manually rotate the encryption keys on their side to maintain robust security.