AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct solution is to implement client-side encryption on the EC2 instances using the AWS Encryption SDK with a customer-managed key (CMK) from AWS KMS. This directly addresses the first requirement to encrypt data before transmission. Using a CMK gives the company full control over the key's policy and lifecycle, and automatic key rotation can be enabled, satisfying the second requirement. To fulfill the third requirement, applying an S3 bucket policy that denies uploads unless server-side encryption is specified (e.g., using the x-amz-server-side-encryption header) acts as an enforceable, defense-in-depth control. This ensures that even if a client-side process fails or is misconfigured, data is never stored unencrypted in the bucket.

• Using only Server-Side Encryption with KMS (SSE-KMS) is incorrect because the data is not encrypted on the client before transmission; it is sent in plaintext over the network to S3, where encryption then occurs. This fails the first requirement.

• Using Server-Side Encryption with Customer-Provided Keys (SSE-C) is incorrect. With SSE-C, the client manages the keys but sends the plaintext data and the encryption key to S3 in the same API call. S3 performs the encryption upon receipt. This does not meet the requirement to encrypt the data before transmission.

• Using the AWS Encryption SDK with an AWS-managed key is incorrect because AWS-managed keys do not provide the company with full control over the key's lifecycle or policies, which violates the second requirement. Furthermore, without an S3 bucket policy to enforce encryption, there is no guarantee that unencrypted objects will be rejected, failing the third requirement.