Q92 — AWS DVA-C02 Ch.1
Question 92 of 100 | ← Chapter 1
A developer has an application that stores data in an Amazon S3 bucket. The application uses HTTP APIs to store and retrieve objects. When the PutObject API operation adds an object to the S3 bucket, the developer must use server-side encryption with Amazon S3-managed keys (SSE-S3) to encrypt these objects at rest. Which solution meets this requirement?
- A. Create an AWS Key Management Service (AWS KMS) key. Assign the KMS key to the S3 bucket.
- B. Set the x-amz-server-side-encryption header when calling the PutObject API operation. ✓
- C. Provide the encryption key in the HTTP header of each request.
- D. Apply TLS encryption to traffic flowing to the S3 bucket.
Correct Answer: B. Set the x-amz-server-side-encryption header when calling the PutObject API operation.
Explanation
The x-amz-server-side-encryption header: Amazon S3 provides a simple mechanism to specify server-side encryption during object storage. By setting the x-amz-server-side-encryption header in the HTTP request with value AES256, S3 is instructed to apply SSE-S3 encryption when storing the object. SSE-S3: This encryption method is fully managed by Amazon S3 and does not require developers to manage encryption keys. It ensures strong security by encrypting objects at rest. Comparing other options: Option A configures AWS KMS-based server-side encryption (SSE-KMS), not SSE-S3, thus violating the requirement. Option D applies TLS encryption to data in transit—not at rest—and therefore does not satisfy the requirement. Option C incorrectly assumes developers must supply encryption keys per request, which contradicts SSE-S3’s managed-key model. Therefore, the correct action is to include the x-amz-server-side-encryption: AES256 header in every PutObject API request to ensure SSE-S3 encryption.