Which server-side encryption option uses AWS Key Management Service keys to encrypt data at rest in S3?

Boost your AWS Certified Solutions Architect Professional knowledge. Study with our powerful practice exams featuring flashcards and detailed explanations. Prepare thoroughly for your SAP-C02 certification with our comprehensive quiz!

Multiple Choice

Which server-side encryption option uses AWS Key Management Service keys to encrypt data at rest in S3?

Explanation:
Using AWS Key Management Service keys for at-rest protection in S3 is SSE-KMS. This option leverages KMS to manage the cryptographic keys (CMKs) used to protect your data, enabling envelope encryption where S3 encrypts the object data with a data key and then that data key is encrypted with a KMS key. This approach provides strong key governance: you can control who can access or use the keys with IAM and key policies, rotate keys, and obtain detailed audit trails in CloudTrail. It also allows per-object or per-bucket key management and fine-grained access controls. In contrast, TLS for in transit protects data as it moves between clients and S3, not the data at rest. SSE-S3 uses S3-managed keys to perform encryption without involving KMS, offering simpler setup but less control and visibility. Client-side encryption happens before data leaves the client, so encryption occurs outside of S3’s server-side process.

Using AWS Key Management Service keys for at-rest protection in S3 is SSE-KMS. This option leverages KMS to manage the cryptographic keys (CMKs) used to protect your data, enabling envelope encryption where S3 encrypts the object data with a data key and then that data key is encrypted with a KMS key. This approach provides strong key governance: you can control who can access or use the keys with IAM and key policies, rotate keys, and obtain detailed audit trails in CloudTrail. It also allows per-object or per-bucket key management and fine-grained access controls.

In contrast, TLS for in transit protects data as it moves between clients and S3, not the data at rest. SSE-S3 uses S3-managed keys to perform encryption without involving KMS, offering simpler setup but less control and visibility. Client-side encryption happens before data leaves the client, so encryption occurs outside of S3’s server-side process.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy