DVA-C02 Encryption at Rest, In Transit and Key Management Guide

April 1, 2026

Study DVA-C02 Encryption at Rest, In Transit and Key Management: key concepts, common traps, and exam decision cues.

On this page

Encryption questions on DVA-C02 usually look easy until they mix storage behavior, transport security, KMS permissions, and certificate handling into one stem. The exam wants you to know where encryption happens, who manages the keys, and which permission boundary can still block access.

Encryption at rest: Protection applied while data is stored in a database, object store, volume, or backup.

Encryption in transit: Protection applied while data moves between clients, services, or networks, usually through TLS.

What AWS is really testing here

AWS wants you to separate:

at rest from in transit
server-side from client-side encryption
key usage from key permission
certificate management from ordinary application secrets
service access from decrypt rights

Choose the right encryption lane

If the question is mainly about…	Strong lane	Why
service stores encrypted data automatically	server-side encryption	The storage service applies encryption at rest for you.
application must encrypt before sending data to AWS	client-side encryption	The app controls encryption before data leaves the client.
app can access the service but decryption still fails	KMS key policy or grant path	Service access and key usage are different permission lanes.
TLS certificates for services or private trust	certificate management	This is an in-transit trust problem, not a secrets-storage problem.
encrypting data across account boundaries	cross-account KMS usage path	Both caller permissions and key policy must align.

Encryption decision flow

    flowchart TD
	    A["Data protection requirement"] --> B{"Data stored or moving?"}
	    B -->|"Stored"| C["Choose at-rest encryption model"]
	    B -->|"Moving"| D["Choose TLS / certificate path"]
	    C --> E{"Who encrypts?"}
	    E -->|"Service"| F["Server-side encryption"]
	    E -->|"Application"| G["Client-side encryption"]
	    C --> H["Check KMS key access if decryption fails"]

Strong answers usually keep three questions separate:

where is the data right now
who is performing the encryption
who is allowed to use the key

KMS is often the hidden blocker

DVA-C02 likes stems where IAM looks correct but the application still cannot decrypt. That usually means:

the principal can call the service
but the key policy, grant, or cross-account permission path still blocks KMS use

This is one of the clearest examples of why security questions need lane separation.

Rotation and cross-account use

If the question asks about operational security rather than app logic, key rotation may be the stronger answer. If it asks about decryption from another account, think about both the caller’s permissions and the key’s cross-account policy path.

Common traps

Trap	Better thinking
encryption at rest and in transit are interchangeable	They protect different moments in the data path.
KMS permission comes automatically with service permission	Access to the service does not guarantee access to use the key.
certificates are just another app secret	Certificate management is a trust and transport-security lane.
server-side and client-side encryption are the same choice	They differ by who performs encryption and where trust is placed.

Decision order that usually wins

First classify the requirement as encryption at rest, encryption in transit, or key-usage authorization.
If the need is stored-data protection in a managed service, think server-side encryption at rest.
If traffic must be protected between client and service, think TLS and certificate management.
If decryption fails even though service access works, inspect the KMS permission path separately.
DVA-C02 often tests that service access and key access are related but distinct control paths.

Quiz

Loading quiz…

Revised on Sunday, May 10, 2026

2.1 IAM & Auth

2.3 Secrets & Tenancy