What should a solutions architect use to accomplish this?

By:
In: SAA-C02
Tagged:
With: 2 Comments
A company is planning to use Amazon S3 to store images uploaded by its users.The images must be encrypted at rest in Amazon S3.The company does not want to spend time managing and rotating the keys, but it does want to control who can access those keys.

What should a solutions architect use to accomplish this?

Server-Side Encryption with keys stored in an S3 bucket

Server-Side Encryption with Customer-Provided Keys (SSE-C)

Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)

Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)

Explanations:

Server-Side Encryption with keys stored in an S3 bucket is not a valid option for encrypting data at rest in S3, as S3 does not support storing encryption keys in an S3 bucket. This option does not meet the requirement for key management.

Server-Side Encryption with Customer-Provided Keys (SSE-C) requires the customer to manage the encryption keys, including key rotation and storage. This goes against the requirement of not wanting to manage and rotate keys.

Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) encrypts data using keys managed by Amazon S3, but it does not provide the ability to control access to those keys, which is a requirement in this scenario.

Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) allows for the encryption of data at rest with keys managed by AWS Key Management Service (KMS). This option provides control over who can access the keys through IAM policies, and AWS manages key rotation and management, fulfilling all requirements.

2026-04-07

2 Comments

  1. Nathan
    Author

    I draft that the answer is:
    Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)

  2. Gary
    Author

    I gauge that the answer is:
    Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)

Leave a Reply

Your email address will not be published. Required fields are marked *

8 + eight =