Data Protection And Encryption Design — AWS Solutions Architect Pro (SAP-C02)
SSE-KMS Encrypts Stored Data; Bucket Policy Enforces TLS
Server-side encryption with SSE-S3 or SSE-KMS protects data written to disk in S3. It does nothing to enforce HTTPS for requests accessing that data. Selecting server-side encryption to satisfy a 'data must be protected in transit' requirement answers the wrong threat. Enforcing TLS for all S3 bucket access requires a bucket policy with an explicit deny where the condition `aws:SecureTransport` is false. SAP-C02 questions describe both threats in a single scenario: encryption at rest and encryption in transit. Answering only one, or treating them as a single control, is the wrong answer. Each threat vector requires its own corresponding control, and server-side encryption does not satisfy the in-transit requirement.
What This Pattern Tests
The exam tests encryption decision points across services. S3 offers SSE-S3 (AWS manages keys, zero config), SSE-KMS (customer-managed KMS key with CloudTrail logging of every key use, key policy controls, automatic rotation), and SSE-C (you provide the key per request, AWS never stores it). The decision depends on requirements: "encrypt at rest" = SSE-S3. "Audit every access to encrypted data" = SSE-KMS with CloudTrail. "Regulatory requirement to control HSM" = CloudHSM. Cross-account access to encrypted data requires KMS key policies that grant the other account permission — a common exam scenario.
Decision Axis
Key management responsibility (zero vs. policy control vs. full ownership) maps to compliance requirements.
Associated Traps
More Top Traps on This Exam
Decision Rules
Whether a customer-managed KMS CMK in the standard KMS software keystore or a CloudHSM-backed KMS custom key store is the minimum compliant configuration when the mandate explicitly requires FIPS 140-2 Level 3 HSM custody of key material.
Domain Coverage
Difficulty Breakdown