nerdexam
Amazon

DVA-C02 · Question #611

A social media company is designing a platform that allows users to upload data, which is stored in Amazon S3. Users can upload data encrypted with a public key. The company wants to ensure that only

The correct answer is D. Use client-side encryption with a customer-managed encryption key to encrypt the data.. Option D is correct because client-side encryption with a customer-managed key allows the company to use an asymmetric key pair - users encrypt uploads with the company's public key, and only the company holds the matching private key needed to decrypt. Since the data is encrypte

Submitted by mateo_ar· Mar 5, 2026Security

Question

A social media company is designing a platform that allows users to upload data, which is stored in Amazon S3. Users can upload data encrypted with a public key. The company wants to ensure that only the company can decrypt the uploaded content using an asymmetric encryption key. The data must always be encrypted in transit and at rest. Which solution meets these requirements?

Options

  • AUse server-side encryption with Amazon S3 managed keys (SSE-S3) to encrypt the data.
  • BUse server-side encryption with customer-provided encryption keys (SSE-C) to encrypt the data.
  • CUse client-side encryption with a data key to encrypt the data.
  • DUse client-side encryption with a customer-managed encryption key to encrypt the data.

How the community answered

(34 responses)
  • A
    21% (7)
  • B
    3% (1)
  • C
    9% (3)
  • D
    68% (23)

Explanation

Option D is correct because client-side encryption with a customer-managed key allows the company to use an asymmetric key pair - users encrypt uploads with the company's public key, and only the company holds the matching private key needed to decrypt. Since the data is encrypted before it leaves the user's machine, it is protected both in transit and at rest without relying on S3 to perform the encryption.

A (SSE-S3) is wrong because it uses symmetric encryption managed entirely by AWS, meaning AWS - not the company - controls decryption. B (SSE-C) is wrong because it still uses symmetric keys and requires sending the key to S3 on each request, violating the requirement that only the company can decrypt. C (client-side with a data key) is wrong because a generic "data key" implies symmetric envelope encryption, not the asymmetric key pair the question explicitly requires.

Memory tip: Whenever a question mentions a public key to encrypt and only one party can decrypt, that's the asymmetric pattern - map it directly to client-side encryption with a customer-managed key (D), since only client-side encryption gives the company full control of the private key without AWS ever seeing it.

Topics

#Client-side encryption#AWS KMS#Asymmetric encryption#S3 data protection

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice