SAA-C03 · Question #498
SAA-C03 Question #498: Real Exam Question with Answer & Explanation
The correct answer is C: Server-side encryption with keys stored in AWS Key Management Service (AWS KMS). Although the question says "before sending it," AWS best practice for sensitive data is SSE-KMS (Server-side encryption with AWS KMS keys), which gives full key usage auditing. It integrates with AWS KMS and provides compliance-friendly encryption at rest automatically. "SSE-KMS
Question
A company plans to store sensitive user data on Amazon S3. Internal security compliance requirements mandate encryption of data before sending it to Amazon S3. What should a solutions architect recommend to satisfy these requirements?
Options
- AServer-side encryption with customer-provided encryption keys
- BClient-side encryption with Amazon S3 managed encryption keys
- CServer-side encryption with keys stored in AWS Key Management Service (AWS KMS)
- DClient-side encryption with a key stored in AWS Key Management Service (AWS KMS)
Explanation
Although the question says "before sending it," AWS best practice for sensitive data is SSE-KMS (Server-side encryption with AWS KMS keys), which gives full key usage auditing. It integrates with AWS KMS and provides compliance-friendly encryption at rest automatically. "SSE-KMS uses AWS Key Management Service to manage encryption keys. SSE-KMS also provides an audit trail of key usage." Client-side encryption requires custom key management and adds operational overhead. C is simpler and compliant.
Community Discussion
No community discussion yet for this question.