Which encryption option will meet these requirements?

By:
In: DVA-C02
Tagged:
With: 1 Comment
A developer is storing sensitive data generated by an application in Amazon S3.The developer wants to encrypt the data at rest.A company policy requires an audit trail of when the AWS Key Management Service (AWS KMS) key was used and by whom.

Which encryption option will meet these requirements?

Server-side encryption with Amazon S3 managed keys (SSE-S3)

Server-side encryption with AWS KMS managed keys (SSE-KMS)

Server-side encryption with customer-provided keys (SSE-C)

Server-side encryption with self-managed keys

Explanations:

SSE-S3 uses Amazon S3 managed keys for encryption. While it encrypts data at rest, it does not provide audit trails for key usage in AWS KMS. Therefore, it does not meet the requirement for tracking when and by whom the key was used.

SSE-KMS uses AWS KMS managed keys, which allows for server-side encryption and includes a detailed audit trail through AWS CloudTrail. This meets the requirement of encrypting data at rest while also tracking key usage and user identity.

SSE-C allows users to provide their own encryption keys for server-side encryption, but it does not integrate with AWS KMS. Consequently, there is no audit trail for key usage through AWS KMS, failing to meet the company policy requirements.

Self-managed keys for encryption do not leverage AWS KMS and therefore lack the audit capabilities provided by KMS. This means there is no built-in tracking for when and by whom the keys were used, making it non-compliant with the audit trail requirement.

2025-10-18

1 Comment

  1. Emily
    Author

    I rank that the answer is:
    Server-side encryption with AWS KMS managed keys (SSE-KMS)

Leave a Reply

Your email address will not be published. Required fields are marked *

13 + five =