AWS Certified Data Engineer Associate DEA-C01 Practice Question
An encrypted data lake is stored in an Amazon S3 bucket owned by the Security AWS account. Application teams in three other accounts must upload objects that remain encrypted with server-side AWS KMS and can be decrypted only by analysts in the Security account. Which configuration meets these requirements with minimal key-management overhead?
Turn on default bucket encryption with the AWS managed key aws/s3 and give the application roles s3:PutObject permission.
Create a separate customer-managed KMS key in each application account, grant the Security account decryption, and configure the bucket to accept uploads encrypted with the corresponding key.
Define a single customer-managed KMS key in the Security account. In its key policy allow the application-account roles only kms:Encrypt, kms:GenerateDataKey*, and kms:ReEncrypt* actions. Require SSE-KMS with that key ARN in the bucket policy.
Provide presigned PUT URLs that include SSE-C headers so each application team supplies its own client-side key when uploading.
The correct approach is to place a single customer-managed KMS key in the Security account and share it. A key-policy statement that gives the application-account roles kms:Encrypt, kms:GenerateDataKey*, and kms:ReEncrypt* lets them upload and encrypt objects but withholds kms:Decrypt, so they cannot read the data. A bucket policy that denies uploads unless the specific key ARN is supplied ensures every object is protected by that key. Analysts in the Security account keep Decrypt permission, so only they can access the contents. This centralizes rotation, auditing, and permission management to one key.
Creating separate keys in every application account increases operational burden and would still give those accounts decryption capability. Using the AWS managed key (aws/s3) is unsupported for cross-account access, so objects would be unreadable. SSE-C requires each team to manage its own client-side keys; because S3 never stores those keys, the Security account could not decrypt the uploads.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SSE-KMS and how does it work?
Open an interactive chat with Bash
What is the role of a KMS key policy in cross-account access?
Open an interactive chat with Bash
How does the bucket policy ensure objects are encrypted with the correct KMS key?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .