Home › AWS Developer Associate › cloudcomputing › awsdevsecurity › An application must encrypt user-uploaded files …
An application must encrypt user-uploaded files in S3 with a key the customer controls (CMK rotation, audit, access policies). Which encryption mode satisfies this?
ANo encryption — rely on bucket policy
BClient-side encryption using a key stored in a public file
CServer-side encryption with KMS (SSE-KMS) using a customer-managed CMK
DSSE-S3 with AWS-managed keys only
Answer & Solution
Correct answer: C. Server-side encryption with KMS (SSE-KMS) using a customer-managed CMK
SSE-KMS with a customer-managed CMK gives full lifecycle control: rotation, key policies, audit via CloudTrail. SSE-S3 hides the keys entirely. No encryption / public keys fail the requirement.
Related questions
An S3 bucket policy grants `s3:GetObject` only when the request includes a specific VPC enWhich approach correctly handles environment-specific configuration (DB endpoints, featureWhich IAM feature lets a developer's IAM role temporarily "impersonate" a service-account-A Lambda function reads database credentials at cold start from AWS Secrets Manager and caAn API Gateway REST API needs to require a valid Amazon Cognito ID token on every call. WhWhich IAM construct is best for granting a CodeBuild project the right to read from one spWhich AWS service issues, manages, and auto-renews public TLS certificates for use with ALA static website served from S3 must allow time-limited downloads to authenticated users w