Which TWO statements about data encryption in AWS are correct? (Choose TWO.)

1 / 1
Select all that apply
CorrectA, D

Explanation

Question Overview

A question about selecting TWO correct statements about AWS encryption.

Requirements to satisfy
  • 1data encryption in AWSThe question tests whether you can correctly distinguish among the three roles: KMS for key management, encryption at rest for protecting stored data, and encryption in transit for protecting data in motion.
Per-option explanation
ACorrect

AWS KMS allows you to centrally create, manage, and control access to encryption keys.

Correct. AWS KMS (Key Management Service) is a managed service that centrally handles the creation, storage, and rotation (periodic key replacement) of encryption keys used for data encryption. It allows access control over who can use which key via IAM and key policies, and lets you audit when and by whom a key was used via CloudTrail. Many AWS services—including S3 and EBS—use KMS keys for encryption.

BIncorrect

Enabling encryption at rest for S3 automatically encrypts data in transit as well.

Encryption at rest (such as SSE) protects only data stored on disk.

Protecting the communication channel is a separate concern handled by TLS (HTTPS) encryption in transit. Enabling encryption at rest does not automatically cover data in transit, so this is incorrect.

CIncorrect

Because KMS keys are managed by AWS, customers cannot control access to them.

With AWS KMS, customers themselves control who can use which key through key policies and IAM policies.

The claim that 'AWS manages it so customers cannot control it' contradicts KMS's core functionality (centralized creation, management, and access control of keys), so this is incorrect.

DCorrect

Encryption in transit uses TLS and similar protocols to protect data on the communication channel.

Correct. Encryption in transit encrypts data on the communication channel using TLS/SSL to protect against eavesdropping and tampering. HTTPS is the primary example.

EIncorrect

Enabling encryption at rest requires application-side code changes.

With server-side encryption (SSE) on services such as S3 and EBS, AWS automatically encrypts data on write and automatically decrypts data on read. The encryption is transparent to the application—the application can simply read and write as before.

Because it can be enabled through configuration alone, the claim that application changes are required is incorrect.

Key Takeaway

Encryption key points: KMS = centralized key management and access control (key policies); in transit = TLS protects communication; at rest ≠ in transit (different targets, enabled separately); server-side encryption is transparent and requires no application changes.

Related Links