AWS-S3 Encryption – Things You Must Know Before Taking Developer or Associate Exam


AWS S3 encryption might be an easy subject for many of you. The modes of encryption are fairly easy to understand and most of you would not take another glance at it. You might want to spend your time and effort in more important areas like networking and VPS, but there are things you must understand before appearing for your AWS exam. Not paying attention to the nature and impact of encryption might result in wrong answer.

Mode of AWS questions

If you have appeared for  our AWS Exams before, or taken our demo exams, you might notice some patterns to the questions asked in AWS.

They are lengthy in nature. They will provide you a situation, ask you a to solve a problem and provide a hint of the answer they are looking for. Now, a problem can be solved in many different ways, but constraining it to focus on a hint will greatly reduce the options. Hence you have to understand the nuances and hints to make sure you select the correct answer.

Let me give you couple of examples from the now retired version of the exam –

A company’s policy requires that all data stored in Amazon S3 is encrypted. The company wants to use the option with the least overhead and does not want to manage any encryption keys.
Which of the following options will meet the company’s requirements?
A.   AWS CloudHSM
B.   AWS Trusted Advisor
C.   Server Side Encryption (SSE-S3)
D.   Server Side Encryption (SSE-KMS)

Underlined ones are the hint which will determine the answer. This is easy and the answer would obviously be C.

Following is a more difficult question to answer –

A company is evaluating Amazon S3 as a data storage solution for their daily analyst reports. The company has implemented stringent requirements concerning the security of the data at rest. Specifically, the CISO asked for the use of envelope encryption with separate permissions for the use of an envelope key, automated rotation of the encryption keys, and visibility into when an encryption key was used and by whom.
Which steps should a Solutions Architect take to satisfy the security requirements requested by the CISO

A.   Create an Amazon S3 bucket to store the reports and use Server-Side Encryption with Customer-Provided Keys (SSE-C).

B.   Create an Amazon S3 bucket to store the reports and use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3).

C.   Create an Amazon S3 bucket to store the reports and use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS).

D.   Create an Amazon S3 bucket to store the reports and use Amazon s3 versioning with Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3).

In the above question, there are several cues were given.

  • Data at rest means encryption would not be SSL/TLS
  •  Envelope key, automated rotation etc means client will provide the encryption keys
  • Visibility of keys used means audit capability

So, summing up all the above hints, we see that the encryption can happen on server side, but the key would be managed in client side. Hence the best answer would be C.

Strategy to Always Answer Correctly – AWS Encryption Cheat-Sheet

 I have created the following cheat sheet when I appeared for my AWS exam. It served me well and I am sharing this with you. I think this will help you identify the hints and answer them correctly.<a href=””>AWS Courses</a>

AWS-S3 Encryption

Share this article

Recent posts

Popular categories


Please enter your comment!
Please enter your name here

Recent comments