AWS KMS & Encryption — DVA-C02 Bare Essentials

Topic Remember
SSE-S3 AWS manages everything. Simplest encryption.
SSE-KMS Uses AWS KMS. Supports Customer Managed Keys (CMKs), IAM control, CloudTrail auditing.
SSE-C Customer supplies encryption key with every request. AWS never stores the key.
Client-side Encryption Application encrypts data before sending to AWS. AWS never sees plaintext.
AWS KMS Managed key management service.
AWS CloudHSM Dedicated hardware security module with customer control.

1. SSE-S3 (Server-Side Encryption with S3 Managed Keys)

What it is

Use when

Remember


2. SSE-KMS (Server-Side Encryption with AWS KMS)

What it is

S3 encrypts objects using a KMS key.

Can use: - AWS Managed Key - Customer Managed Key (CMK)

Benefits

Use when

Questions mention: - Customer Managed Key (CMK) - Audit trail - Compliance - CloudTrail - IAM control

Upload Example

Specify:

This is the standard exam answer.


3. Customer Managed Key (CMK)

Why use it?

You control:

Exam keywords

If question says:

→ Answer is usually SSE-KMS with CMK


4. CloudTrail + KMS

Every Encrypt/Decrypt operation is logged.

Logs include:

Exam shortcut

Need audit trail?

→ SSE-KMS

NOT SSE-S3


5. Client-side Encryption

Application encrypts data BEFORE uploading.

AWS receives only ciphertext.

AWS never sees:

Usually implemented using:

Use when

Questions say:


6. AWS Encryption SDK

Provides client-side envelope encryption.

Flow:

Application

Generate Data Key

Encrypt File

Upload encrypted file to S3

Useful when AWS must never access plaintext.


7. SSE-C (Customer Provided Keys)

Customer sends encryption key with EVERY upload.

S3:

AWS never stores it.

Use when

Questions mention:


8. SSE-C vs Client-side Encryption

SSE-C

Application sends plaintext to S3.

S3 performs encryption.

AWS briefly sees plaintext.

AWS does NOT keep the key.


Client-side Encryption

Application encrypts first.

AWS never sees plaintext.

AWS never sees key.

This is the strongest customer control.


9. AWS CloudHSM

Dedicated Hardware Security Module.

Provides:

FIPS 140-2 Level 3

Use when

Question says:

Answer:

AWS CloudHSM


10. KMS vs CloudHSM

AWS KMS


CloudHSM


11. Automatic Key Rotation

Customer Managed Keys can be rotated automatically.

AWS:

Applications continue working.

Old key versions remain available to decrypt old data.

Exam trick

Rotation DOES NOT change:


12. Schedule Key Deletion

CMKs can be scheduled for deletion.

Waiting period:

7–30 days

During this period:

Deletion can be cancelled.


13. Cancel Key Deletion

Before deletion date:

Use:

After cancelling:

Key becomes:

Disabled

You must:

Enable it again

Then applications work normally.


14. Which Encryption Should I Choose?

SSE-S3

Choose when:


SSE-KMS

Choose when:


SSE-C

Choose when:


Client-side Encryption

Choose when:


CloudHSM

Choose when:


Exam Memory Tricks

"Simplest encryption"

→ SSE-S3


"Customer Managed Key"

→ SSE-KMS


"Audit trail"

→ SSE-KMS + CloudTrail


"CloudTrail key usage"

→ SSE-KMS


"Application encrypts before upload"

→ Client-side Encryption


"AWS Encryption SDK"

→ Client-side Encryption


"AWS must never store key"

→ SSE-C


"On-prem HSM"

→ SSE-C


"Unique key for every upload"

→ SSE-C


"Dedicated HSM"

→ CloudHSM


"FIPS Level 3"

→ CloudHSM


"Automatic yearly rotation"

→ Enable KMS automatic key rotation


"Cancel key deletion"

→ CancelKeyDeletion API


30-Second Revision