AWS Certified Data Engineer Associate DEA-C01 Practice Question

An industrial IoT platform collects sensitive telemetry on edge devices and uploads the data to an Amazon S3 bucket. A compliance mandate states that neither plaintext data nor encryption keys may ever leave the devices or be visible to AWS services. Each device can perform symmetric encryption but should remain simple to operate. Which approach best satisfies the compliance requirement while minimizing operational overhead?

Stream the telemetry unencrypted into Amazon Kinesis Data Firehose and enable encryption with an AWS managed KMS key before delivery to S3.
Upload the data to the S3 bucket with server-side encryption using a customer-managed AWS KMS key (SSE-KMS).
Use the AWS Encryption SDK on each device to perform client-side encryption and upload the resulting ciphertext object to S3 with no server-side encryption setting.
Include a customer-provided encryption key in each PUT request so the bucket uses server-side encryption with customer-provided keys (SSE-C).

Report Issue

Answer Description

With client-side encryption, the edge device encrypts the data locally and retains full control of the encryption keys. Only ciphertext is transmitted to and stored in Amazon S3, so AWS never sees either the plaintext or the keys-meeting the mandate. Enabling SSE-KMS or SSE-C is a server-side solution: the object arrives at S3 unencrypted (or the key is sent with the request), meaning AWS has temporary access to the plaintext or the key. Encrypting later in Kinesis Data Firehose also exposes the plaintext in transit to AWS. Therefore, client-side encryption performed on each device and uploading the resulting ciphertext without any S3 server-side encryption enabled is the only compliant option.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.