Domain 2.3: Security Controls — AWS SAP-C02 Practice Question 08

How to approach this question

If keys must be strictly managed by an on-premises HSM, Client-Side Encryption is the most secure and direct method.

Full Answer

D.Use Client-Side Encryption, encrypting the data on-premises before uploading to S3.✓ Correct

Client-Side Encryption allows the application to encrypt data using keys from the on-premises HSM before sending it to S3, ensuring AWS never sees the plaintext data or the keys.

Common mistakes

Assuming KMS imported material is the only way; Client-Side is better for strict on-prem HSM requirements.

A financial application stores highly sensitive PII in Amazon S3. The security team requires that the data be encrypted at rest using keys managed by the company's on-premises Hardware Security Module (HSM). Which encryption strategy should be used?

How to approach this question

Full Answer

Common mistakes

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 1

More questions from this exam