Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 31 discussion

B. Set the x-amz-server-side-encryption header when invoking the PutObject API operation. When using the PutObject API operation to store objects in an S3 bucket, the x-amz-server-side-encryption header can be set to specify the server-side encryption algorithm used to encrypt the object. Setting this header to "AES256" or "aws:kms" enables server-side encryption with SSE-S3 or SSE-KMS respectively. Option A is incorrect because assigning a KMS key to the S3 bucket will not enable SSE-S3 encryption. Option C is incorrect because providing the encryption key in the HTTP header of every request is not a valid way to enable SSE-S3 encryption. Option D is incorrect because applying TLS encryption to the traffic to the S3 bucket only encrypts the data in transit, but does not encrypt the objects at rest in the bucket.

B https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html

A) Eliminated - While AWS Key Management Service (KMS) keys can be used for encryption in S3 (SSE-KMS), this option refers to creating a custom KMS key, which is not required when using SSE-S3. B) Correct - The x-amz-server-side-encryption header is the correct way to specify the use of SSE-S3 when uploading objects to S3 via the PutObject API. C) Eliminated - Providing an encryption key in the HTTP header refers to client-side encryption or SSE-C D) Eliminated - TLS (Transport Layer Security) encrypts data in transit, not at rest.

==> Discard A: SSE-KMS uses AWS KMS keys, not Amazon S3-managed keys required for SSE-S3. ==> Discard C: SSE-C requires customer-provided keys, not Amazon S3-managed keys for SSE-S3. ==> Discard D: TLS encrypts data in transit, not at rest as required by SSE-S3. B is correct because setting `x-amz-server-side-encryption: AES256` ensures Amazon S3 uses SSE-S3 to encrypt objects at rest automatically.

B is the correct answer.

Answer is B

Aren't objects on s3 encrypted using SSE-S3 by default? I don't understand why D is not the answer.

Answer for this question is changed starting January 5, 2023. Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html

Header parameter "s3:x-amz-server-side-encryption": "AES256"

C is a way to use customer-provided keys not S3-managed keys.

C is correct and hear is the reason from AWS docs. Visit AWS Regions and Endpoints in the AWS General Reference or the AWS Region Table to see the regional availability for ACM. Certificates in ACM are regional resources. To use a certificate with Elastic Load Balancing for the same fully qualified domain name (FQDN) or set of FQDNs in more than one AWS region, you must request or import a certificate for each region. For certificates provided by ACM, this means you must revalidate each domain name in the certificate for each region. You cannot copy a certificate between regions. To use an ACM certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.