How do you ensure data encryption at rest and in transit in AWS designs?

• A. Use KMS-managed keys (SSE-KMS) for at-rest encryption and TLS for in-transit; enforce with IAM policies and bucket policies
• B. Use TLS for in transit and no encryption at rest
• C. Use TLS for in transit and S3 SSE-S3 for at rest
• D. Use client-side encryption only

Answer: (A)

Protecting data in AWS requires encryption both when stored and when it travels. For data at rest, using KMS-managed keys (SSE-KMS) provides server-side encryption with centralized key management, allowing you to control who can use the keys, rotate them, and audit their usage via CloudTrail. This gives granular access control and visible governance over encryption keys across AWS services like S3, EBS, and more. For data in transit, TLS (https) protects the data as it moves between clients and AWS services, ensuring confidentiality and integrity of the communication channel. When you combine these with policy-based enforce­ment—using IAM policies to require secure transport and restrict key usage, and bucket policies to mandate SSE-KMS and encrypted access—you design your system so encryption is enforced by default rather than optional.

This approach is superior to options that skip encryption at rest, rely only on TLS without protecting stored data, or use client-side encryption alone, which leaves data unprotected once it’s stored or threaded through services. SSE-S3 offers at-rest encryption but with less fine-grained key management than SSE-KMS, making SSE-KMS a better choice for control and auditing.