Answer-first summary for fast verification
Answer: Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS)
Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS) You have the following options for protecting data at rest in Amazon S3: Server-Side Encryption – Request Amazon S3 to encrypt your object before saving it on disks in its data centers and then decrypt it when you download the objects. Client-Side Encryption – Encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools. When you use server-side encryption with AWS KMS (SSE-KMS), you can use the default AWS managed CMK, or you can specify a customer-managed CMK that you have already created. Creating your own customer-managed CMK gives you more flexibility and control over the CMK. For example, you can create, rotate, and disable customer-managed CMKs. You can also define access controls and audit the customer-managed CMKs that you use to protect your data.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A financial services company aims to protect its customer data by ensuring it is always encrypted while stored in Amazon S3. The company seeks a solution managed by AWS that provides them the ability to fully control the creation, rotation, and removal of the encryption keys.
Given this requirement, as a Developer Associate, which of the following solutions would you recommend to meet this use-case?
A
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
B
Server-Side Encryption with Customer-Provided Keys (SSE-C)
C
Server-Side Encryption with Secrets Manager
D
Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS)