Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 440 discussion

Answer is A. Guys please stop playing smart !!! protect data in transit = SSL/TLS or Client-Side Encryption. It is VERY clear in AWS Docs: "Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data in transit using Secure Socket Layer/Transport Layer Security (SSL/TLS) or client-side encryption." https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html

Server-Side Encryption – Request Amazon S3 to encrypt your object before saving it on disks in its data centers and then decrypt it when you download the objects. Client-Side Encryption – Encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools. Answer is A

A is the correct answer because the user encrypts the data before is being uploaded to S3( encryption at rest) and as well the data will stay encrypted while in the S3 bucket with the encryption keys managed by the user still. The Server can't encrypt a file stored in your PC before is being uploaded into the aws S3 bucket

AAAAAA

i got with A

It is C: https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/

https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/

Answer is C, which takes care of both encryption during upload and at Rest as well.. To encrypt an object at the time of upload, you need to add a header called x-amz-server-side-encryption to the request to tell S3 to encrypt the object using SSE-C, SSE-S3, or SSE-KMS. The following code example shows a Put request using SSE-S3. In order to enforce object encryption, create an S3 bucket policy that denies any S3 Put request that does not include the x-amz-server-side-encryption header. There are two possible values for the x-amz-server-side-encryption header: AES256, which tells S3 to use S3-managed keys, and aws:kms, which tells S3 to use AWS KMS–managed keys. So this cleary states that Bucket policy witih SSE-S3 encryption is the right anwser.

By right this answer should have two options. One to do client side encryption for transit and another one a bucket policy to ensure that is encrypted.

Ans should be A

Client side encryption clearly takes care of both conditions ( encryption at rest, and in transit) .It's un ambiguous and there fore is my choice.

B is the correct ans..please try to understand the grammar here, it said the data MUST be encrypted AT REST first.which is using SERVER-SIDE ENCRYPTION, then it now said Additionally, meaning adding to the original plan.. we need it to be also encrypted doing Transit

C looks right

A is correct

Answer is A.

A OR D

Answer is absolutely C. This was covered in a "A Cloud Guru" lab demo video. You use a bucket policy that denies files that don't have an "s3:x-amz-server-side-encryption" header. When you do that, you can't upload files that aren't encrypted. S3 rejects them. I tried to cut/paste the actual policy I tested, but this web site keep barfing when I try and post it. Anyway, google the above tag, and you'll find notes on this. As far as I'm concerned, a file that is encrypted at rest BEFORE the upload to S3 is encrypted during the upload to S3. Its all covered here: https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/