Question #1289
A financial institution is aggregating sensitive audit records in multiple Amazon S3 buckets within a centralized AWS environment. The security team requires that all data must be encrypted prior to storage and remain protected during transmission. Which solution ensures compliance with these requirements?
Implement client-side encryption to encrypt the data before it is transmitted to the S3 buckets.
Configure server-side encryption with Amazon S3 managed keys (SSE-S3) for all uploaded data.
Apply S3 bucket policies enforcing server-side encryption with AWS KMS keys (SSE-KMS) for all uploads.
Enable default encryption using AWS KMS customer-managed keys (CMK) for the S3 buckets.
Explanation
The correct answer is A because client-side encryption encrypts data before it is transmitted to S3, ensuring protection during transit and encryption prior to storage.
- Option A: Encrypts data on the client side before transmission, satisfying both encryption-at-rest (prior to storage) and in-transit protection.
- Option B/C/D: Use server-side encryption (SSE-S3, SSE-KMS, or CMK), which encrypts data after it reaches S3. This fails the 'encrypted prior to storage' requirement.
Key Points:
- Client-side encryption ensures data is encrypted before transmission and storage.
- Server-side encryption only encrypts data after it is stored in S3.
- The question explicitly requires encryption prior to storage, making client-side encryption the only compliant solution.
Answer
The correct answer is: A