Interview AWS

Explain S3 encryption options: SSE-S3, SSE-KMS, SSE-C, and client-side.

AWS · Intermediate level

Answer

SSE-S3 uses S3-managed encryption keys, SSE-KMS uses KMS keys with stronger control and audit, SSE-C uses customer-provided keys, and client-side encryption happens before upload. For sensitive enterprise data I usually prefer SSE-KMS.

Technical explanation

SSE-KMS adds key policy and KMS quota considerations but gives better audit and separation of duties.

S3 security should start with Block Public Access, least-privilege IAM/bucket policies, encryption, ownership controls, and CloudTrail or S3 data-event visibility for sensitive buckets.

Cost management depends on lifecycle policies, storage classes, version retention, object size, retrieval fees, and access patterns.

Operationally, validate bucket policies, KMS permissions, lifecycle effects, and restore behavior before applying broad production changes.

Hands-on example

1. Create a non-production bucket with Block Public Access, bucket owner enforced object ownership, default encryption, and scoped IAM access.

2. Add a policy control relevant to the question, such as deny non-TLS, require SSE-KMS, or restrict access to a VPC endpoint.

3. Enable versioning or lifecycle where relevant, upload test objects, and verify transitions, deletes, restores, and access-denied behavior.

4. Review Access Analyzer, Config, CloudTrail, and Storage Lens before applying the pattern to production.

Preparing for an interview?

Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.

More AWS interview questions

← All AWS questions