What should a solutions architect recommend to satisfy these requirements?

By:
In: SAA-C02
Tagged:
With: 2 Comments
A company plans to store sensitive user data on Amazon S3.Internal security compliance requirement mandate encryption of data before sending it to AmazonS3.

What should a solutions architect recommend to satisfy these requirements?

Server-side encryption with customer-provided encryption keys

Client-side encryption with Amazon S3 managed encryption keys

Server-side encryption with keys stored in AWS key Management Service (AWS KMS)

Client-side encryption with a master key stored in AWS Key Management Service (AWS KMS)

Explanations:

Server-side encryption with customer-provided keys (SSE-C) encrypts data on AWS side, not before sending, which fails to meet the requirement for pre-encryption.

Client-side encryption with Amazon S3 managed keys does not fulfill the requirement, as Amazon S3 managed keys handle encryption on the server side, not on the client side.

Server-side encryption with AWS KMS also encrypts data after it reaches Amazon S3, rather than encrypting it before sending, which does not meet the requirement.

Client-side encryption with a master key stored in AWS KMS ensures encryption is handled by the client before data is transmitted to S3, fully satisfying the security compliance requirements.

2026-03-25

2 Comments

  1. Emma
    Author

    In my opinion, the answer is:
    Client-side encryption with a master key stored in AWS Key Management Service (AWS KMS)

  2. Jason
    Author

    I systematize that the answer is:
    Client-side encryption with a master key stored in AWS Key Management Service (AWS KMS)

Leave a Reply

Your email address will not be published. Required fields are marked *

20 + 13 =