Skip to Content

DVA-C02: How to Encrypt S3 Objects at Rest with SSE-S3 and PutObject API

Learn how to use server-side encryption with S3 managed keys (SSE-S3) to encrypt objects at rest when using the PutObject API operation. Find out the best solution and the steps to implement it.

Table of Contents

Question

A developer has an application that stores data in an Amazon S3 bucket. The application uses an HTTP API to store and retrieve objects. When the PutObject API operation adds objects to the S3 bucket the developer must encrypt these objects at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3).

Which solution will meet this requirement?

A. Create an AWS Key Management Service (AWS KMS) key. Assign the KMS key to the S3 bucket.
B. Set the x-amz-server-side-encryption header when invoking the PutObject API operation.
C. Provide the encryption key in the HTTP header of every request.
D. Apply TLS to encrypt the traffic to the S3 bucket.

Answer

B. Set the x-amz-server-side-encryption header when invoking the PutObject API operation.

Explanation

The correct answer is B. Set the x-amz-server-side-encryption header when invoking the PutObject API operation.

To encrypt objects at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3), the developer can use the x-amz-server-side-encryption header to request Amazon S3 to encrypt the object before saving it on disks in its data centers and decrypt it when the developer downloads the objects. This header specifies that Amazon S3 should use SSE-S3 to encrypt the object.

Option A is incorrect because creating an AWS Key Management Service (AWS KMS) key and assigning it to the S3 bucket will use server-side encryption with AWS KMS customer master keys (SSE-KMS) instead of SSE-S3. SSE-KMS provides additional benefits such as audit trails and key management, but it also requires additional permissions and costs.

Option C is incorrect because providing the encryption key in the HTTP header of every request will use server-side encryption with customer-provided keys (SSE-C) instead of SSE-S3. SSE-C allows the developer to maintain control of the encryption keys and requires that they provide an encryption key as part of every request to Amazon S3.

Option D is incorrect because applying TLS to encrypt the traffic to the S3 bucket will only encrypt the data in transit, not at rest. TLS is a protocol that provides secure communication over a network by using encryption, authentication, and integrity checks. It does not affect how the data is stored on the S3 bucket.

The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.

AWS Certified Developer - Associate DVA-C02 Exam Questions and Answers