Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Exam question: KMS and own encryption keys

  • Exam question: KMS and own encryption keys

     JR-TutorialsDojo updated 1 week, 6 days ago 2 Members · 2 Posts
    AWS Certified Solutions Architect Professional

  • ch34

    Member
    May 2, 2025 at 11:45 pm

    Hi,

    my topic is about this exam question:

    A company wants to migrate its on-premises application to the AWS cloud. Due to limited manpower, the company wants to utilize fully managed AWS services as much as possible. This way, there will be less maintenance work after the migration. The application processes large files containing sensitive information so the company has the following requirements:

    One of the requirements is:

    The company must be able to use its own encryption key and then periodically rotated for improved security.


    The correct answer mentions using SSE-KMS for S3.

    Would SS3-C be correct, too?

    At first I thought only SS3-C can be correct as this means that I’m using my own encryption key. But when using SSE-KMS I’m using an own encryption key, too. It’s just saved on AWS side instead on my side (SSE-C). That’s the logic behind the correct answer, right?

    So is the word just a little bit unclear here or I’m missing something?

    To summarize my unterstand of SSE-C/SSE-KMS:

    SSE-C: own encryption key stays on my side (although I’m sending the key as base64 encoded header to AWS in the request. But long-term storing happens on my side)

    SSE-KMS: own encryption key stays on AWS side


    Thank’s,

    Chris

  • JR-TutorialsDojo

    Administrator
    May 5, 2025 at 10:50 am

    Hello Chris,

    Thanks for the feedback.

    With SSE-C, you do own and manage the encryption key, but it’s not integrated into AWS’s managed services, and AWS doesn’t handle key rotation for you. Additionally, Amazon Redshift Spectrum does not support Amazon S3 client-side encryption. –

    Please refer to this: https://docs.aws.amazon.com/redshift/latest/dg/c-spectrum-data-files.html#c-spectrum-data-files-encryption

    On the other hand, with SSE-KMS, you can still use your own customer-managed key, but AWS manages its lifecycle, including automatic rotation. This is a more secure and scalable solution that fits the requirements of the scenario and integrates with AWS services like Redshift Spectrum.

    Please refer to this: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#aws-managed-customer-managed-keys

    I hope this helps! Please let us know if you need further assistance.

    Best regards,
    JR @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content