A financial application stores highly sensitive PII in Amazon S3. The security team requires that the data be encrypted at rest using keys managed by the company's on-premises Hardware Security Module (HSM). Which encryption strategy should be used?

Answer options:

Use Server-Side Encryption with Amazon S3 managed keys (SSE-S3).

Use Server-Side Encryption with AWS KMS keys (SSE-KMS) using AWS managed keys.

Use AWS KMS with imported key material generated by the on-premises HSM.

Use Client-Side Encryption, encrypting the data on-premises before uploading to S3.

How to approach this question

If keys must be strictly managed by an on-premises HSM, Client-Side Encryption is the most secure and direct method.

Full Answer

D.Use Client-Side Encryption, encrypting the data on-premises before uploading to S3.✓ Correct

Use AWS KMS with a custom key store backed by AWS CloudHSM, and configure CloudHSM to use the on-premises HSM as the root of trust.

Client-Side Encryption allows the application to encrypt data using keys from the on-premises HSM before sending it to S3, ensuring AWS never sees the plaintext data or the keys.

Common mistakes

Assuming KMS imported material is the only way; Client-Side is better for strict on-prem HSM requirements.

Question 07 All questions Question 09

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 1

75 questions · hints · full answers · grading

More questions from this exam

Q01An enterprise has 50 VPCs across two AWS Regions. They need to establish transitive routing betwe...Hard Q02A company uses AWS Organizations. The security team wants to ensure that no IAM user or role can ...Medium Q03An application requires a relational database with an RPO of 1 second and an RTO of less than 1 m...Hard Q04A company is setting up a new multi-account environment. They want to automate the provisioning o...Medium Q05An organization wants to allocate AWS costs to specific business units. They use AWS Organization...Hard

View all 75 questions →