Which server-side encryption option uses AWS Key Management Service keys to encrypt data at rest in S3?

Prepare for the AWS Certified Solutions Architect Professional Exam with in-depth quiz questions. Challenge your knowledge with detailed questions and explanations to ensure you're ready for success!

Multiple Choice

Which server-side encryption option uses AWS Key Management Service keys to encrypt data at rest in S3?

Explanation:
Using AWS Key Management Service keys for at-rest protection in S3 is SSE-KMS. This option leverages KMS to manage the cryptographic keys (CMKs) used to protect your data, enabling envelope encryption where S3 encrypts the object data with a data key and then that data key is encrypted with a KMS key. This approach provides strong key governance: you can control who can access or use the keys with IAM and key policies, rotate keys, and obtain detailed audit trails in CloudTrail. It also allows per-object or per-bucket key management and fine-grained access controls. In contrast, TLS for in transit protects data as it moves between clients and S3, not the data at rest. SSE-S3 uses S3-managed keys to perform encryption without involving KMS, offering simpler setup but less control and visibility. Client-side encryption happens before data leaves the client, so encryption occurs outside of S3’s server-side process.

Using AWS Key Management Service keys for at-rest protection in S3 is SSE-KMS. This option leverages KMS to manage the cryptographic keys (CMKs) used to protect your data, enabling envelope encryption where S3 encrypts the object data with a data key and then that data key is encrypted with a KMS key. This approach provides strong key governance: you can control who can access or use the keys with IAM and key policies, rotate keys, and obtain detailed audit trails in CloudTrail. It also allows per-object or per-bucket key management and fine-grained access controls.

In contrast, TLS for in transit protects data as it moves between clients and S3, not the data at rest. SSE-S3 uses S3-managed keys to perform encryption without involving KMS, offering simpler setup but less control and visibility. Client-side encryption happens before data leaves the client, so encryption occurs outside of S3’s server-side process.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy