Answer-first summary for fast verification
Answer: Use client-side encryption to encrypt the data that is being uploaded to the S3 buckets.
## Explanation **Correct Answer: A - Use client-side encryption to encrypt the data that is being uploaded to the S3 buckets.** **Why this is correct:** 1. **Encryption at rest BEFORE upload**: The requirement specifically states that data must be encrypted at rest **before** it is uploaded to S3 buckets. Client-side encryption encrypts the data on the client side before transmission to S3, meeting the "before upload" requirement. 2. **Encryption in transit**: When using HTTPS/TLS for uploading data to S3 (which is standard practice), the data is encrypted in transit. Client-side encryption combined with HTTPS provides both encryption at rest (before upload) and encryption in transit. **Why other options are incorrect:** **B. Use server-side encryption to encrypt the data that is being uploaded to the S3 buckets.** - Server-side encryption encrypts data **after** it arrives at S3, not **before** upload as required. - While it provides encryption at rest, it doesn't meet the "before upload" requirement. **C. Create bucket policies that require the use of server-side encryption with S3 managed encryption keys (SSE-S3) for S3 uploads.** - This only ensures data is encrypted at rest **after** it reaches S3. - It doesn't encrypt data before upload. - Bucket policies can enforce SSE-S3, but this happens server-side, not client-side. **D. Enable the security option to encrypt the S3 buckets through the use of a default AWS Key Management Service (AWS KMS) key.** - This enables default encryption for S3 buckets, but again, this is server-side encryption that happens **after** data is uploaded. - It doesn't encrypt data before upload. **Key Concepts:** - **Client-side encryption**: Data is encrypted on the client side before being sent to AWS. The encryption keys are managed by the customer. - **Server-side encryption**: Data is encrypted by AWS after it reaches the S3 service. - **Encryption in transit**: Achieved through HTTPS/TLS protocols during data transmission. - **Encryption at rest**: Data is encrypted when stored on disk. The requirement for encryption "before the data is uploaded" is the critical factor that makes client-side encryption the only correct choice.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is using a centralized AWS account to store log data in various Amazon S3 buckets. A solutions architect needs to ensure that the data is encrypted at rest before the data is uploaded to the S3 buckets. The data also must be encrypted in transit.
Which solution meets these requirements?
A
Use client-side encryption to encrypt the data that is being uploaded to the S3 buckets.
B
Use server-side encryption to encrypt the data that is being uploaded to the S3 buckets.
C
Create bucket policies that require the use of server-side encryption with S3 managed encryption keys (SSE-S3) for S3 uploads.
D
Enable the security option to encrypt the S3 buckets through the use of a default AWS Key Management Service (AWS KMS) key.