A security architect is designing a solution to securely store sensitive customer data in a cloud object storage service. The architect's primary concern is that if the storage bucket is accidentally configured as publicly accessible, the data should still be protected from unauthorized viewing. Which of the following architectural designs provides the strongest defense in depth to meet this concern?

Use server-side encryption with a cloud-managed key (SSE-S3) and restrict access with bucket policies.

Server-side encryption with a cloud-managed key means the cloud provider holds the encryption key and automatically decrypts data for any user who satisfies the bucket policy. If the bucket becomes public, users with read access can retrieve the decrypted data, negating protection. This does not provide defense in depth against accidental public exposure.

Use default encryption with a cloud-managed key (SSE-S3) and enable bucket logging.

Default SSE-S3 encryption is equivalent to server-side encryption with a cloud-managed key. Enabling logging only provides detective capability; it does not prevent data exposure if the bucket is public. The data would be decrypted by the cloud provider for any authorized read request, exposing plaintext to anyone with read access.

Use server-side encryption with a customer-provided key (SSE-C) and require MFA for delete operations on the bucket.

SSE-C requires the client to supply the encryption key for each read request, so an attacker without the key cannot decrypt the data. However, this design relies on server-side encryption, meaning the cloud provider briefly processes the plaintext during upload. More importantly, the MFA requirement only protects against unauthorized deletion, not against unauthorized read access. Client-side encryption is a more robust defense in depth, as it ensures the cloud provider never has access to plaintext at any point.

What does this SY0-701 question test?

Read the scenario before looking for a memorised answer.

What is the correct answer to this question?

The correct answer is: Use client-side encryption with a customer-managed key stored in a hardware security module (HSM) and restrict access with IAM roles. — The scenario requires defense in depth such that even if a bucket is made publicly accessible, the data remains confidential. Client-side encryption with a customer-managed key stored in an HSM ensures the data is encrypted before it ever reaches the cloud provider. The cloud provider never has access to the plaintext or the encryption key, so public access to the bucket only exposes encrypted ciphertext, which is useless without the key. This is the strongest protection against accidental public exposure. Server-side encryption options still involve the cloud provider in the encryption process, and if the bucket is public and the provider has the key (as in SSE-S3 or default encryption), the provider could decrypt the data for anyone with read access. SSE-C (server-side encryption with customer-provided key) requires the client to supply the key for read operations; while this prevents unauthorized decryption, the cloud provider still briefly handles the plaintext during upload, and the design is not as resilient as client-side encryption. Adding MFA for delete operations does not address read access. Thus, the client-side encryption with an HSM-stored key is the best choice.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.