Client-side encryption is the only correct choice because it allows Orion eNotary to apply its proprietary cipher before uploading objects so Amazon S3 only stores ciphertext and AWS never performs or controls the encryption algorithm or sees the plaintext.

Client-side encryption gives the company full control over the encryption process and the key lifecycle so the proprietary algorithm and key material remain on the client side. You encrypt files locally with your custom cipher then upload the resulting ciphertext to S3 which treats the objects as opaque data.

Server-side encryption with AWS KMS keys (SSE-KMS) is incorrect because AWS KMS performs encryption with AWS supported implementations and algorithms so you cannot substitute a custom cipher. KMS controls key usage and the service uses standard, managed algorithms.

Server-side encryption with Amazon S3 managed keys (SSE-S3) is incorrect because S3 manages both keys and the encryption algorithms and offers no mechanism to run a customer proprietary cipher during server side encryption.

Server-side encryption with customer-provided keys (SSE-C) is incorrect because although you provide key material S3 still executes encryption with its own implementation and it does not support custom cipher implementations. SSE-C also requires you to supply the key with each request which raises additional operational exposure.

Full AWS Practitioner Certification Question