Home › AWS Solutions Architect Associate › cloudcomputing › securearchitectures › A workload needs to encrypt sensitive S3 objects…
A workload needs to encrypt sensitive S3 objects with keys that the customer creates, rotates, and audits — but still wants AWS to manage the underlying cryptographic infrastructure. Which option fits BEST?
AClient-side encryption only, with keys printed on paper
BNo encryption — rely on IAM to gate access
CServer-side encryption with KMS-managed keys (SSE-KMS) using a customer-managed CMK
DServer-side encryption with S3-managed keys (SSE-S3) only
Answer & Solution
Correct answer: C. Server-side encryption with KMS-managed keys (SSE-KMS) using a customer-managed CMK
SSE-KMS with a customer-managed key gives the customer rotation, key policies, audit (via CloudTrail), and CMK-level key access logs while AWS handles the HSM-backed crypto. SSE-S3 uses AWS-managed keys (no per-key audit); paper key management is unscalable; "no encryption" doesn't satisfy the requirement.
Related questions
Which AWS feature lets you store and retrieve secrets (database passwords, API tokens) witWhich AWS service enables an organisation to enforce a baseline of security configuration Which combination implements defense-in-depth network segmentation inside a VPC for a publA team wants short-lived credentials (15 minutes) for an external CI/CD system running OUTAn organisation needs to give a partner read-only access to one specific S3 bucket across Which AWS service is purpose-built to find and classify sensitive data (e.g. PII, credit-cWhich AWS service inspects CloudTrail / VPC flow logs / DNS query logs with ML to detect aAn organisation needs a managed L7 web application firewall to filter SQL injection and cr