A cloud engineer is configuring encryption for data stored in an S3 bucket. The company requires that encryption keys be managed by the organization, not the cloud provider. Which encryption option should be used?
SSE-C allows the customer to supply and manage their own keys.
Why this answer
SSE-C (Server-Side Encryption with Customer-Provided Keys) allows the organization to manage their own encryption keys while AWS handles the encryption and decryption process. The customer provides the encryption key in each request, and AWS discards the key after the operation, ensuring the cloud provider never stores the key. This meets the requirement that keys be managed by the organization, not the cloud provider.
Exam trap
The trap here is that candidates confuse SSE-KMS with customer-managed keys, but KMS keys are still managed by AWS as a service, whereas SSE-C requires the customer to provide the key directly with each request, giving the organization full control.
How to eliminate wrong answers
Option A (SSE-KMS) is wrong because AWS Key Management Service (KMS) manages the keys, meaning the cloud provider retains control over key lifecycle and policies, which does not satisfy the requirement for organization-managed keys. Option B (SSE-S3) is wrong because Amazon S3 manages the encryption keys entirely, with no customer control or visibility into key material. Option D (Client-side encryption) is wrong because encryption occurs on the client side before data is sent to S3, which is a different approach than server-side encryption and does not involve AWS handling the encryption process; the question specifies configuring encryption for data stored in an S3 bucket, implying server-side encryption.