Which type of encryption should be used?

By:
In: DVA-C01
Tagged:
With: 2 Comments
An application needs to encrypt data that is written to Amazon S3 where the keys are managed in an on-premises data center, and the encryption is handled byS3.

Which type of encryption should be used?

Use server-side encryption with Amazon S3-managed keys.

Use server-side encryption with AWS KMS-managed keys.

Use client-side encryption with AWS KMS-managed keys.

Use server-side encryption with customer-provided keys.

Explanations:

Server-side encryption with Amazon S3-managed keys (SSE-S3) means that Amazon S3 manages the keys for you. This option does not allow for on-premises key management, as the keys are not accessible to the user.

Server-side encryption with AWS KMS-managed keys (SSE-KMS) uses AWS Key Management Service to manage the keys. While KMS offers a level of control, the keys are still managed by AWS, which does not align with the requirement of managing keys on-premises.

Client-side encryption with AWS KMS-managed keys means that data is encrypted before it reaches S3, and the keys are managed through AWS KMS. This does not meet the requirement of managing keys on-premises.

Server-side encryption with customer-provided keys (SSE-C) allows the user to manage encryption keys while Amazon S3 handles the encryption and decryption of the data. This option allows for on-premises key management, fulfilling the requirement.

2026-03-28

2 Comments

  1. Zachary
    Author

    I plot that the answer is:
    Use server-side encryption with customer-provided keys.

  2. Larry
    Author

    As I recall, the answer is:
    Use server-side encryption with customer-provided keys.

Leave a Reply

Your email address will not be published. Required fields are marked *

13 + two =