ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 109 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02
Question #: 109
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A company plans to store sensitive user data on Amazon S3. Internal security compliance requirement mandate encryption of data before sending it to Amazon
S3.
What should a solutions architect recommend to satisfy these requirements?

  • A. Server-side encryption with customer-provided encryption keys
  • B. Client-side encryption with Amazon S3 managed encryption keys
  • C. Server-side encryption with keys stored in AWS key Management Service (AWS KMS)
  • D. Client-side encryption with a master key stored in AWS Key Management Service (AWS KMS)
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by yakman at Aug. 9, 2020, 3:09 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
yakman
Highly Voted 3 years, 9 months ago
Answer D! https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
upvoted 84 times
rob_724
3 years, 9 months ago
Yep, client needs the data to be encrypted b4 sending it to S3
upvoted 7 times
...
aguy9
3 years, 8 months ago
I agree, answer is D
upvoted 3 times
...
noahsark
3 years, 7 months ago
Agree with D. This may help: Server-side: S3 Managed Keys (SSE-S3) KMS Managed Keys (SSE-KMS) Customer Provided Keys (SSE-C) Client-side: KMS managed master encryption keys (CSE-KMS) Customer managed master encryption keys (CSE-C) Source: AWS Exam Readiness
upvoted 34 times
...
...
anpt
Highly Voted 3 years, 8 months ago
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
upvoted 9 times
...
Eleftheriia
Most Recent 1 year, 4 months ago
Could it be also C, because as it is stated below, data is protected in transit and at rest? Amazon S3 Encryption Client Client-side encryption provides end-to-end protection for your object, in transit and at rest, from its source to storage in Amazon S3. Your data is protected in transit and at rest. It is never exposed to any third party, including AWS. You choose how your cryptographic keys are protected. You specify the wrapping key used to protect the data keys that encrypt your objects. Your objects are all encrypted with a unique data key. The Amazon S3 Encryption Client does not use or interact with bucket keys, even if you specify a KMS key as your wrapping key. https://docs.aws.amazon.com/amazon-s3-encryption-client/latest/developerguide/client-server-side.html
upvoted 1 times
...
iamjeffbezos
2 years, 8 months ago
B is not possible because the customer doesn´t have access to this key; it's managed by AWS and so only usable server-side
upvoted 1 times
...
17Master
2 years, 9 months ago
Selected Answer: D
Is correct D
upvoted 1 times
...
naveenagurjara
2 years, 12 months ago
Selected Answer: D
B. Client-side encryption with Amazon S3 managed encryption keys You cannot use S3 Managed key on your client side of the connection.
upvoted 2 times
...
jasonzsg
3 years, 6 months ago
D should be correct.
upvoted 1 times
...
cvlaje
3 years, 7 months ago
Answer D Client-side encryption is the act of encrypting data before sending it to Amazon S3. To enable client-side encryption, you have the following options: Use a customer master key (CMK) stored in AWS Key Management Service (AWS KMS). Use a master key that you store within your application.
upvoted 6 times
...
chxzqw
3 years, 7 months ago
so why not B ?
upvoted 2 times
tinyshare
3 years, 7 months ago
Client side encryption has two options: 1. AWS KMS CMK 2. customer application SSE-S3 is server side. So there is no such thing called S3 client side encryption https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html
upvoted 3 times
...
...
syu31svc
3 years, 7 months ago
A and C are eliminated; server-side encryption does not answer the qn of "mandate encryption of data before sending it to Amazon S3" Between B and D, AWS key encryption is about KMS so D is the answer
upvoted 4 times
...
mryala
3 years, 8 months ago
it's D
upvoted 1 times
...
Yogi
3 years, 8 months ago
Ans = D Data has to be encrypted before being sent to S3. That is CSE.
upvoted 1 times
...
Kingshah23
3 years, 8 months ago
Couldn't it be A because they havent migrated the data over yet, so they need to encrypt it before they send it over and so they'd have to do the encryption on prem?
upvoted 1 times
Kingshah23
3 years, 8 months ago
JK its D: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html
upvoted 1 times
...
...
ashok1234567890
3 years, 8 months ago
DDDDDDDDDDDDD
upvoted 1 times
...
Ankitrathi85
3 years, 8 months ago
D right
upvoted 1 times
...
myutran
3 years, 8 months ago
Answer: D
upvoted 1 times
...
AwsNewPeople
3 years, 8 months ago
DDDDDDDDDDDDDDDDDDD
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel