Practice free →
HomeAWS Solutions Architect Associatecloudcomputingsecurearchitectures › A workload needs to encrypt sensitive S3 objects…

A workload needs to encrypt sensitive S3 objects with keys that the customer creates, rotates, and audits — but still wants AWS to manage the underlying cryptographic infrastructure. Which option fits BEST?

AClient-side encryption only, with keys printed on paper
BNo encryption — rely on IAM to gate access
CServer-side encryption with KMS-managed keys (SSE-KMS) using a customer-managed CMK
DServer-side encryption with S3-managed keys (SSE-S3) only
Answer & Solution
Correct answer: C. Server-side encryption with KMS-managed keys (SSE-KMS) using a customer-managed CMK
SSE-KMS with a customer-managed key gives the customer rotation, key policies, audit (via CloudTrail), and CMK-level key access logs while AWS handles the HSM-backed crypto. SSE-S3 uses AWS-managed keys (no per-key audit); paper key management is unscalable; "no encryption" doesn't satisfy the requirement.
Solve this in the app — AWS Solutions Architect Associate practice & 24k+ MCQs →
Related questions