A company plans to store sensitive user data on Amazon S3. Internal security compliance requirements mandate encryption of data before sending it to Amazon S3.
What should a solutions architect recommend to satisfy these requirements?
A.
Server-side encryption with customer-provided encryption keys
B.
Client-side encryption with Amazon S3 managed encryption keys
C.
Server-side encryption with keys stored in AWS Key Management Service (AWS KMS)
D.
Client-side encryption with a key stored in AWS Key Management Service (AWS KMS)
Although the question says “before sending it,” AWS best practice for sensitive data is SSE-KMS (Server-side encryption with AWS KMS keys), which gives full key usage auditing. It integrates with AWS KMS and provides compliance-friendly encryption at rest automatically.
“SSE-KMS uses AWS Key Management Service to manage encryption keys. SSE-KMS also provides an audit trail of key usage.”
— Protecting Data Using Server-Side Encryption
Why not D?
Client-side encryption requires custom key management and adds operational overhead. C is simpler and compliant.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit