AWS · DVA-C02

Data Protection And Encryption Design — AWS Developer (DVA-C02)

10%of exam questions (20 of 200)

SSE-S3 vs SSE-KMS vs Client-Side Encryption Scope

SSE-S3 and SSE-KMS both encrypt objects at rest, but only SSE-KMS gives you CloudTrail audit logs on every key usage event. A scenario says 'data must be encrypted' and candidates enable SSE-S3 and stop there. The question may be asking about in-transit enforcement via an HTTPS-only bucket policy, client-side encryption before upload, or KMS customer-managed keys for audit and rotation control. Conflating these controls produces an answer that satisfies one requirement while leaving another explicitly unmet. KMS key rotation can be enabled automatically for customer-managed keys on an annual schedule without application-level changes.

What This Pattern Tests

The exam tests encryption decision points across services. S3 offers SSE-S3 (AWS manages keys, zero config), SSE-KMS (customer-managed KMS key with CloudTrail logging of every key use, key policy controls, automatic rotation), and SSE-C (you provide the key per request, AWS never stores it). The decision depends on requirements: "encrypt at rest" = SSE-S3. "Audit every access to encrypted data" = SSE-KMS with CloudTrail. "Regulatory requirement to control HSM" = CloudHSM. Cross-account access to encrypted data requires KMS key policies that grant the other account permission — a common exam scenario.

Decision Axis

Key management responsibility (zero vs. policy control vs. full ownership) maps to compliance requirements.

Associated Traps

Service Confusion (8)Kinesis Data Streams vs. Kinesis Data Firehose — one word apart, completely different delivery models.Near-Right Architecture (4)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Security Default Assumption (4)S3 buckets block public access by default since 2023 — but the scenario describes a bucket created in 2019.Operational Complexity Underestimation (4)Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.

Decision Rules

Whether to use an AWS-managed key (aws/s3) or a customer-managed KMS key (CMK) when the scenario adds explicit operational control requirements: a customer-defined rotation schedule and per-call CloudTrail audit visibility scoped to a specific key.

AWS Key Management ServiceAmazon S3AWS CloudTrail

Whether encryption-at-rest for stored data is achieved by a KMS CMK integrated at the RDS storage layer and S3 SSE-KMS, or by Secrets Manager — recognising that Secrets Manager protects connection credentials and is orthogonal to disk-level data encryption.

AWS Key Management ServiceAmazon RDSAWS Secrets Manager

Whether automatic rotation capability — not encryption at rest alone — is the decisive axis that disqualifies Parameter Store SecureString and mandates Secrets Manager.

AWS Secrets ManagerAWS Systems Manager Parameter Store

Select SSE-KMS with a customer-managed key over SSE-S3 because only SSE-KMS with a CMK produces per-request CloudTrail key-usage events and grants the organization direct key-rotation authority; SSE-S3 satisfies encryption at rest but fails the auditability and key-ownership constraints.

AWS Key Management ServiceAmazon S3

Whether automatic rotation capability—native to Secrets Manager—or encryption-at-rest equivalence—shared by both services via KMS—is the disqualifying axis when a hard compliance rotation interval is mandated.

AWS Secrets ManagerAWS Systems Manager Parameter StoreAWS Key Management Service

Domain Coverage

Security

Difficulty Breakdown

Medium: 8Hard: 12

Build recognition speed →

See all DVA-C02 patterns →