Which S3 server-side encryption option uses AWS Key Management Service (KMS) to manage encryption keys?
Think about which option integrates with AWS KMS for key management.
SSE-KMS uses AWS Key Management Service to manage encryption keys, providing additional control and audit capabilities compared to SSE-S3.
If you enable default encryption on an S3 bucket with SSE-S3, what happens when a new object is uploaded without specifying encryption?
Consider the effect of default encryption settings on new uploads.
When default encryption is enabled with SSE-S3, all new objects are encrypted automatically using SSE-S3 if no encryption is specified.
Which bucket policy condition enforces that all PUT requests must use SSE-KMS encryption?
Look for the condition that matches SSE-KMS encryption header.
The condition with "s3:x-amz-server-side-encryption": "aws:kms" ensures that PUT requests use SSE-KMS encryption.
What is a key security responsibility when using SSE-C (server-side encryption with customer-provided keys) in S3?
Think about who controls the keys in SSE-C.
With SSE-C, the customer provides the encryption key with each request and is responsible for managing it securely. AWS does not store the key.
Your company requires detailed audit logs for encryption key usage and wants to control key rotation policies. Which S3 encryption option best meets these requirements?
Consider which option offers audit logs and key rotation control.
SSE-KMS with customer-managed keys allows detailed audit logging and key rotation control via AWS KMS, meeting compliance needs.