🔥 3-day streak
AWS Certified Security - Specialty80 / 157
Question 80 of 157
A security engineer is designing envelope encryption for an application that stores sensitive customer records in Amazon S3 using SSE-KMS with a customer managed key. Compliance requires that a decryption request only succeeds if it is tied to the same logical tenant that performed the encryption, so that a valid ciphertext for one tenant cannot be decrypted in the context of a different tenant. The engineer wants to enforce this cryptographically without creating a separate KMS key per tenant. Which approach BEST meets this requirement?
Reviewed for accuracy · Report an issueNext question