A company stores log data from multiple accounts in centralized Amazon S3 buckets. A solutions architect must ensure the data is encrypted at rest before upload to S3 and encrypted in transit. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Use client-side encryption to encrypt the data before uploading it to the S3 buckets..
Why this is the answer
The correct answer is to use client-side encryption. This ensures data is encrypted before being uploaded to S3, satisfying the "encrypted at rest before upload" requirement. Client-side encryption also inherently provides encryption in transit because the data is already encrypted before it leaves the client. Server-side encryption (SSE-S3, SSE-KMS, SSE-C) encrypts data after it arrives at S3. While it encrypts data at rest within S3 and can use HTTPS for in-transit encryption, it does not encrypt the data before the upload process begins from the client's perspective. Therefore, options involving server-side encryption or bucket policies requiring it do not meet the "before upload" criterion for at-rest encryption.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed