Which solution will meet these requirements?
Encrypt the data in the S3 bucket with server-side encryption (SSE) that uses an AWS Key Management Service (AWS KMS) customer managed key.
Encrypt the data in the S3 bucket with server-side encryption (SSE) that uses an AWS Key Management Service (AWS KMS) AWS managed key.
Encrypt the data in the S3 bucket with the default server-side encryption (SSE).
Encrypt the data at the company’s data center before storing the data in the S3 bucket.
Explanations:
This option uses AWS KMS customer managed keys, which means the keys are managed within the AWS environment. The requirement states that the company must manage the encryption keys outside the AWS Cloud, making this option unsuitable.
This option uses AWS KMS AWS managed keys, which means the keys are also managed within the AWS environment. Similar to option A, this does not meet the requirement for managing keys outside the AWS Cloud.
This option employs default server-side encryption (SSE), which typically utilizes AWS-managed keys. As with options A and B, this does not fulfill the requirement for external key management.
This option involves encrypting the data at the company’s data center before storing it in the S3 bucket. This method allows the company to fully control the encryption process and manage the keys outside of AWS, thus meeting all specified requirements.