Q67 — AWS DVA-C02 Ch.2

Question 67 of 100 | ← Chapter 2

A software company must ensure documents uploaded by users are securely stored in Amazon S3. Documents must be encrypted at rest in Amazon S3. The company wishes to avoid client-side encryption and does not want to manage security infrastructure. Additionally, the company wants to control the keys used for at-rest encryption. Which encryption key solution should developers use to meet these requirements?

Correct Answer: C. AWS Key Management Service (AWS KMS) customer-managed keys

Explanation

AWS KMS provides centralized encryption key management ideal for customers who wish to avoid managing key security infrastructure themselves. Since the company wants to avoid client-side encryption, avoid managing security infrastructure, and retain control over the keys used for at-rest encryption, AWS KMS customer-managed keys (option C) is the most appropriate choice. This allows the company to leverage AWS’s managed key service while maintaining full control over key usage and policies. Other options either require client-side encryption (B) or lack sufficient key control and management capabilities (A and D).