A company runs an application on AWS that generates sensitive archival files. The company wants to rearchitect the application's data storage so files are encrypted before being sent to AWS, ensuring no third parties can access the data prior to encryption. The company has already created an Amazon S3 bucket. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Configure the application to use client-side encryption with a key stored in AWS Key Management Service (AWS KMS). Configure the application to store the archival files in the S3 bucket..
Why this is the answer
The correct solution is client-side encryption with a key from AWS KMS. This ensures the data is encrypted before leaving the application and being sent to AWS, meeting the requirement that no third parties can access the data prior to encryption. The key stored in KMS provides secure key management. Server-side encryption options (SSE-S3, SSE-KMS, SSE-C) encrypt data after it has been received by S3. While secure, the data is unencrypted during transit to S3, which violates the requirement that no third party can access the data prior to encryption. Dual-layer server-side encryption also encrypts on the server side. Client-side encryption with an S3-managed key is not a standard S3 encryption method; client-side encryption typically involves the application managing the encryption process.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed