Which solution will meet these requirements with the LEAST operational overhead?
Generate a unique encryption key for each customer. Store the keys in an Amazon S3 bucket. Enable server-side encryption.
Deploy a hardware security appliance in the AWS environment that securely stores customer-provided encryption keys. Integrate the security appliance with AWS KMS to encrypt the sensitive data in the application.
Create a single AWS KMS key to encrypt all sensitive data across the application.
Create separate AWS KMS keys for each customer’s data that have granular access control and logging enabled.
Explanations:
Storing encryption keys in an Amazon S3 bucket does not provide the centralized key management and security features that AWS KMS offers. This solution could also lead to operational overhead related to managing S3 permissions and security.
Deploying a hardware security appliance adds significant operational complexity and management overhead. It requires additional infrastructure management, which contradicts the requirement for the least operational overhead.
Using a single AWS KMS key for all customer data does not meet the requirement for separate encryption for each customer. This approach could lead to compliance issues as it lacks the necessary isolation for sensitive data.
Creating separate AWS KMS keys for each customer’s data ensures that the encryption is handled in a compliant manner. AWS KMS provides centralized management of keys with built-in access controls and logging, resulting in minimal operational overhead while meeting security requirements.