Home › Forums › AWS › AWS Certified Solutions Architect Associate › Practice Exam 3 Question
-
-
Hello veen,
Thank you for your feedback.
Yes, you are correct. Server-side encryption (SSE) is enabled by default for Amazon S3 buckets. But it is also important to note that you can configure the default encryption for an Amazon S3 bucket. You can use server-side encryption with Amazon S3 managed keys (SSE-S3) (the default one which strongest block ciphers—256-bit Advanced Encryption Standard (AES-256) to encrypt each object uploaded to the bucket. ), server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS), or dual-layer server-side encryption with AWS KMS keys (DSSE-KMS).
Therefore in the given scenario, “Enable SSE on an S3 bucket to make use of AES-256 encryption” is one of the correct answers since it’s still relevant to know and choose the specific SSE settings based on your encryption needs, and the use of AES-256 encryption is part of the SSE-S3 default encryption.
Hope this clarifies any confusion. If you need further assistance please do not hesitate to contact us.
Regards,
Nikee @ Tutorials Dojo
-
Hello Nikki,
I am new here, and I had taken my first exam set with DOJO.
I have question/clarification, over “Encrypt your data using your own encryption keys” Could we not use, Dual-Layer server-side encryption with AWS Key Management service Keys (DDSE-KMS)? I mean that option could have included as an answer, instead of, encrypt your data using your own encryption keys”?
While scrutinizing the given four (04) answers, and to choose two(02) as correct answers;
(1) Why was to Encrypt your data using your own encryption keys, came into the picture
(2) Why was AWS Key Management service Keys (DDSE-KMS), NOT be given as an option to choose, as it is well within S3?
AWS Key Management service Keys (DDSE-KMS) Vs. Encrypt your data using your own encryption keys, is it purely related to Cost?
Then, once the company is using CMK, (Encrypt your data using your own encryption keys), once encrypted on the client side;
(a) Which is the best protocol, which is most secure to upload to a S3?
(b) How does S3 (Based on Veen’s confusion), if the bucket is encrypted by default, does S3 accept encrypted data?
Regards,
Denzil
-
Hello Denzil,
Welcome to the TD, and it’s great to see you’re diving deep into AWS security concepts! Your questions show a keen interest in understanding the nuances of data encryption in AWS, particularly with S3. Let’s address your queries one by one.
The concept of Dual-Layer server-side encryption with AWS Key Management Service (KMS) keys, or DDSE-KMS, is an advanced encryption model where data is encrypted under two layers of security managed by AWS KMS. For your first question, “Why was to Encrypt your data using your own encryption keys”. This option represents client-side encryption, where you encrypt the data on your side before uploading it to S3. This approach gives you complete control over the encryption keys and the encryption process. It’s beneficial when you want to ensure that no one, not even AWS, can decrypt your data without your keys.
Secondly, your question about “Why AWS KMS (DDSE-KMS) wasn’t explicitly listed as one of the options”. AWS Key Management Service (KMS) is a highly secure and convenient way to manage encryption keys and implement server-side and client-side encryption within AWS services, including S3. It wasn’t specified because the question aimed to test your knowledge of basic encryption capabilities within S3.
The decision between using your own encryption keys or AWS KMS is not purely about cost, though cost can be a factor. AWS KMS involves costs based on the number of API calls and the management of customer master keys, but it also offers benefits in terms of ease of use, integration with AWS services, and security features like key rotation and centralized management. Using your own keys might avoid these costs but requires more effort in key management, security, and compliance.
Whether you’re encrypting data client-side or server-side, using a secure protocol such as HTTPS for uploading your data to S3 is essential. HTTPS ensures that your data is encrypted in transit, preventing interception by third parties Amazon S3 can accept data that’s already encrypted client-side without any issues. When you upload client-side encrypted data to an S3 bucket, even if the bucket is configured to use default encryption (such as SSE-S3 or SSE-KMS), S3 stores the uploaded data as-is. The data will remain encrypted with your client-side encryption and any server-side encryption applied by the bucket’s settings. Essentially, the data is double-encrypted, once by you before upload and once by S3 upon storage if server-side encryption is enabled.
If you have any more questions or need further clarification, feel free to ask.
Regards,
Nikee @ Tutorials Dojo
-
-
Good day to you, Nikee,
Thank you so much for your detailed, technical response.
What a lovely, an amazing technical answer!!!! I am delighted!!!
Indeed, I am highly keen to know, rather may I say construct my knowledge over AWS Security, and S3 seem to be a Service where AWS alone refer to.
You made it extreme clear, why, why not, how and what. It was a great education, especially when you stressed, it was all to test “My” knowledge.
Well, as I walk through the questions and answers, and while I walk through the Video/HOL, I am confident, that I shall have more questions. I shall post them accordingly.
By the in this wonderful DOJO-TD, is there a way to filter topics, as per AWS Service; like S3, CloudFormation, etc?
Kind Regards,
Denzil
-
Hello Denzil,
Thank you for your heartfelt message! We’re thrilled to hear that our response has helped to enrich your understanding of AWS Security and S3. It’s always our goal to provide clear, comprehensive insights that not only answer your questions but also enhance your learning experience.
Regarding your question about filtering topics according to specific AWS Services like S3, CloudFormation, etc., please note that in our SAA-C03 practice exam, we’ve introduced Topic-based questions, which are positioned right after the Section-based questions. This feature is designed to help you refine your study focus and delve deeper into specific areas, such as S3.
Furthermore, we’re delighted to introduce you to our collection of free AWS Digital courses. These courses are a fantastic resource for expanding your knowledge of AWS services. Visit this link.
Thank you once again for your kind words and for choosing us as a partner in your AWS learning journey. We can’t wait to see where this path takes you!
Kind Regards,
Nikee @ Tutorials Dojo
-
-
Hello Nikee,
I hope you would not mind me asking this question too.
Based on the same question, answers and so on; Would IAM or Resource based policy work better, rather more effectively?
In fact, how may I differentiate which types of permissions, IAM or Resource based?
If possible, if I am not seeking too much, a sample JSON code for both, with a bit of an explanation?
What exactly is STS: Permission Boundaries? How do they work?
Kind Regards,
Denzil
-
Good day to you, Nikee,
Thank you for your kind response.
In fact, yesterday, I have purchased at zero cost, of the free courses you have advised me on, as well as the eBook related to SAA-C03.
I am glad you were happy to read my comments, that way I find DOJO assisting me.
As regards to “We can’t wait to see where this path takes you!” The only path is success, over knowledge, that dojo is providing. This knowledge, exam and success means a lot to me.
Kind Regards,
Denzil
Log in to reply.