What should the Security Engineer use to accomplish this?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company plans to migrate a sensitive dataset to Amazon S3.A Security Engineer must ensure that the data is encrypted at rest.The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process.

What should the Security Engineer use to accomplish this?

Server-side encryption with Amazon S3-managed keys (SSE-S3)

Server-side encryption with AWS KMS-managed keys (SSE-KMS)

Server-side encryption with customer-provided keys (SSE-C)

Client-side encryption with an AWS KMS-managed CMK

Explanations:

SSE-S3 uses Amazon S3-managed keys for encryption. The company cannot generate its own keys as it relies on Amazon to manage the keys, which does not meet the requirement of self-generated keys.

SSE-KMS allows the company to create and manage its own keys using AWS Key Management Service (KMS). This option enables key generation without the need for the company to manage key storage or the encryption process itself.

SSE-C allows the customer to provide their own encryption keys but requires them to manage the keys and the encryption process, which contradicts the requirement of not managing key storage.

Client-side encryption with AWS KMS-managed CMK means the data is encrypted before it is uploaded to S3. The company would need to manage the encryption process, which does not align with the requirement of not managing encryption or key storage.

2025-10-16

1 Comment

  1. Jerry
    Author

    I compute that the answer is:
    Server-side encryption with AWS KMS-managed keys (SSE-KMS)

Leave a Reply

Your email address will not be published. Required fields are marked *

5 × 5 =