AWS · SOA-C03

Data Protection And Encryption Design — AWS SysOps Administrator (SOA-C03)

5%of exam questions (9 of 200)

At-Rest and In-Transit Encryption Are Not One Control

SOA-C03 encryption questions often describe both a storage component and a data-in-flight path. "Encryption enabled" typically refers to at-rest coverage via KMS; TLS is a separate, independently required control. The phrase "end-to-end encryption" is the exam's signal that the correct answer must address the transport layer in addition to storage. A single-layer answer — even if technically correct for that layer — does not satisfy both constraints simultaneously.

What This Pattern Tests

The exam tests encryption decision points across services. S3 offers SSE-S3 (AWS manages keys, zero config), SSE-KMS (customer-managed KMS key with CloudTrail logging of every key use, key policy controls, automatic rotation), and SSE-C (you provide the key per request, AWS never stores it). The decision depends on requirements: "encrypt at rest" = SSE-S3. "Audit every access to encrypted data" = SSE-KMS with CloudTrail. "Regulatory requirement to control HSM" = CloudHSM. Cross-account access to encrypted data requires KMS key policies that grant the other account permission — a common exam scenario.

Decision Axis

Key management responsibility (zero vs. policy control vs. full ownership) maps to compliance requirements.

Associated Traps

Near-Right Architecture (3)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Cost Blind Spot (3)Spot Instances cut that ECS cluster by 70% — but you built Multi-AZ with On-Demand because it felt safer.Operational Complexity Underestimation (3)Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.

Decision Rules

Whether to use SSE-S3 (S3-managed keys, zero CloudTrail key-event visibility) or SSE-KMS with a customer-managed KMS key (full CloudTrail kms:GenerateDataKey and kms:Decrypt event coverage), where only the CMK path satisfies the compliance requirement to demonstrate that all key access is logged.

AWS Key Management ServiceAmazon S3

Whether 'encryption is enabled' without KMS satisfies a compliance audit-trail requirement, or whether KMS customer-managed keys are the minimum necessary configuration to produce per-key CloudTrail events — with the cost of KMS API calls being a non-negotiable consequence of the compliance constraint, not an optional overhead.

AWS Key Management ServiceAmazon S3Amazon RDS

The ACM certificate for a CloudFront distribution must always be provisioned in us-east-1 regardless of where the origin ALB resides, because CloudFront's global edge control plane reads TLS certificates exclusively from that region.

AWS Certificate ManagerAmazon CloudFrontAmazon Route 53

Domain Coverage

Security and ComplianceNetworking and Content Delivery

Difficulty Breakdown

Easy: 3Medium: 3Hard: 3

Build recognition speed →

See all SOA-C03 patterns →