While preparing for the AWS SAP-C02, many candidates get confused by encryption key management for S3. In reality, this is fundamentally a decision about security posture versus operational cost and complexity. Let’s drill into a simulated scenario.
The Scenario #
Zenith Health Solutions, a mid-sized health insurer, currently stores sensitive Personally Identifiable Information (PII) within an Amazon S3 bucket. The company uses Amazon S3’s default server-side encryption with S3-managed keys (SSE-S3). New corporate security guidelines now require all data in the bucket, both existing and future objects, to be encrypted using encryption keys managed by the internal security team. The S3 bucket does NOT have versioning enabled.
Key Requirements #
Update encryption for all existing and future S3 objects so that the data is encrypted with customer-managed keys (CMKs) as mandated by the security team, ensuring compliance without disrupting access. The solution must prevent uploads of unencrypted objects.
The Options #
-
A) Change the S3 bucket’s default encryption to use SSE-S3 with customer-provided keys. Re-upload all existing objects with this encryption using the AWS CLI. Apply a bucket policy to deny any PutObject requests without encryption.
-
B) Update the bucket default encryption to use server-side encryption with AWS KMS-managed keys (SSE-KMS). Re-upload all existing objects using AWS CLI with SSE-KMS encryption. Apply a bucket policy to deny any PutObject requests without encryption.
-
C) Update the bucket default encryption to use SSE-KMS with customer-managed AWS KMS keys. Apply a bucket policy that enforces encryption on GetObject and PutObject requests automatically.
-
D) Change bucket encryption default to AES-256 with customer-managed keys. Attach a bucket policy denying unencrypted PutObject requests. Re-upload all objects with this encryption using AWS CLI.
Correct Answer #
Option B.
Step-by-Step Winning Logic #
Option B correctly upgrades the bucket encryption from SSE-S3 to SSE-KMS using customer-managed keys as required by the security team. Changing the bucket default encryption ensures all new objects use SSE-KMS automatically. Re-uploading all existing objects with SSE-KMS encryption aligns data at rest with compliance. The bucket policy denying unencrypted PutObject requests enforces security guardrails preventing accidental unencrypted uploads.
While SSE-KMS increases costs due to KMS API requests, it enables granular key management, auditing, and rotation – essential in regulated industries such as health insurance. This option balances strong security controls with operational best practices.
💎 The Architect’s Deep Dive: Why Options Fail #
The Traps (Distractor Analysis) #
-
Why not A?
SSE-S3 does not support customer-managed keys. The option refers to SSE-S3 with customer keys, which is technically inaccurate and thus not viable. -
Why not C?
Applying bucket policies to enforce encryption on GetObject operations is unnecessary; encryption is at rest and does not affect GET requests. Also, this option does not specify re-encrypting existing objects, missing compliance for existing data. -
Why not D?
AES-256 encryption in S3 refers to SSE-S3’s default encryption using server-managed keys, not customer-managed keys. Also unclear on how customer key management is conducted here. This option is ambiguous and less aligned with AWS best practices compared to SSE-KMS.
The Architect Blueprint #
graph TD
User([User]) -->|PutObject request| S3Bucket[S3 Bucket]
S3Bucket -->|Encrypts with| KMSKey[AWS KMS Customer-Managed Key]
ExistingObjects -->|Re-upload| S3Bucket
BucketPolicy -->|Enforces Encryption Guardrail| S3Bucket
User -->|GetObject request| S3Bucket
Diagram Note: This diagram illustrates user interaction with S3 bucket enforcing SSE-KMS encryption via customer-managed keys along with a bucket policy that denies unencrypted uploads. Existing objects are re-uploaded to meet new encryption standards.
The Decision Matrix #
(Mandatory for Professional Level)
| Option | Est. Complexity | Est. Monthly Cost (Quantified) | Pros | Cons |
|---|---|---|---|---|
| A | Medium | Low ($0) | Attempts to use customer keys with SSE-S3 | SSE-S3 does not support CMKs; invalid solution |
| B | Medium-High | Medium ($50 - $200, depends on usage) | Strong security with CMKs, compliance enforced | Additional KMS costs, re-upload effort |
| C | High | Medium ($50 - $200) | Enforces encryption guardrails | Encryption on GET unnecessary; misses re-encryption step |
| D | Medium | Low ($0) | Use of AES-256 common method | Ambiguous CMK management; likely non-compliant |
Real-World Practitioner Insight #
Exam Rule #
For the exam, always pick SSE-KMS with customer-managed keys (CMK) when you see requirements for customer key control and audit in S3 encryption.