AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is using a centralized AWS account to store log data in various Amazon S3 buckets. A solutions architect needs to ensure that the data is encrypted at rest before the data is uploaded to the S3 buckets. The data also must be encrypted in transit.

Which solution meets these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Use client-side encryption to encrypt the data that is being uploaded to the S3 buckets.

Use server-side encryption to encrypt the data that is being uploaded to the S3 buckets.

Create bucket policies that require the use of server-side encryption with S3 managed encryption keys (SSE-S3) for S3 uploads.

Enable the security option to encrypt the S3 buckets through the use of a default AWS Key Management Service (AWS KMS) key.

Explanation:

Explanation

Correct Answer: A - Use client-side encryption to encrypt the data that is being uploaded to the S3 buckets.

Why this is correct:

Encryption at rest BEFORE upload: The requirement specifically states that data must be encrypted at rest before it is uploaded to S3 buckets. Client-side encryption encrypts the data on the client side before transmission to S3, meeting the "before upload" requirement.
Encryption in transit: When using HTTPS/TLS for uploading data to S3 (which is standard practice), the data is encrypted in transit. Client-side encryption combined with HTTPS provides both encryption at rest (before upload) and encryption in transit.

Why other options are incorrect:

B. Use server-side encryption to encrypt the data that is being uploaded to the S3 buckets.

Server-side encryption encrypts data after it arrives at S3, not before upload as required.
While it provides encryption at rest, it doesn't meet the "before upload" requirement.

C. Create bucket policies that require the use of server-side encryption with S3 managed encryption keys (SSE-S3) for S3 uploads.

This only ensures data is encrypted at rest after it reaches S3.
It doesn't encrypt data before upload.
Bucket policies can enforce SSE-S3, but this happens server-side, not client-side.

D. Enable the security option to encrypt the S3 buckets through the use of a default AWS Key Management Service (AWS KMS) key.

This enables default encryption for S3 buckets, but again, this is server-side encryption that happens after data is uploaded.
It doesn't encrypt data before upload.

Key Concepts:

Client-side encryption: Data is encrypted on the client side before being sent to AWS. The encryption keys are managed by the customer.
Server-side encryption: Data is encrypted by AWS after it reaches the S3 service.
Encryption in transit: Achieved through HTTPS/TLS protocols during data transmission.
Encryption at rest: Data is encrypted when stored on disk.

The requirement for encryption "before the data is uploaded" is the critical factor that makes client-side encryption the only correct choice.

Powered ByGPT-5.2

Comments

Loading comments...