Which solution will meet these requirements?
Use server-side encryption with Amazon S3 managed keys (SSE-S3).
Use an S3 Bucket Key for server-side encryption with AWS KMS keys (SSE-KMS) on the new objects.
Use client-side encryption with AWS KMS customer managed keys.
Use server-side encryption with customer-provided keys (SSE-C) stored in AWS KMS.
Explanations:
Using server-side encryption with Amazon S3 managed keys (SSE-S3) does not fulfill the company’s encryption requirements since it does not leverage AWS KMS, which the company is currently using for encryption. SSE-S3 uses Amazon S3 managed keys and may not meet the strict KMS requirements.
Using an S3 Bucket Key for server-side encryption with AWS KMS keys (SSE-KMS) on new objects allows for reduced costs by minimizing the number of calls to AWS KMS, while still meeting the encryption requirements. S3 Bucket Keys help lower the cost of requests to KMS, making this option suitable for the company’s needs.
Client-side encryption with AWS KMS customer managed keys requires managing encryption and decryption processes on the client side, which can complicate operations and does not optimize costs associated with AWS KMS calls. Additionally, it may not satisfy the company’s requirement for S3-native encryption.
Using server-side encryption with customer-provided keys (SSE-C) does not leverage AWS KMS for key management, which is crucial for meeting the company’s strict encryption requirements. Furthermore, this approach would require the company to manage the encryption keys themselves, increasing operational overhead and potential security risks.
If I’m not mistaken, the answer is:
Use an S3 Bucket Key for server-side encryption with AWS KMS keys (SSE-KMS) on the new objects.