Which solution will meet these requirements with the LEAST operational overhead?
Create AWS Secrets Manager secrets for encrypted certificates. Manually update the certificates as needed. Control access to the data by using fine-grained IAM access.
Create an AWS Lambda function that uses the Python cryptography library to receive and perform encryption operations. Store the function in an Amazon S3 bucket.
Create an AWS Key Management Service (AWS KMS) customer managed key. Allow the EC2 role to use the KMS key for encryption operations. Store the encrypted data on Amazon S3.
Create an AWS Key Management Service (AWS KMS) customer managed key. Allow the EC2 role to use the KMS key for encryption operations. Store the encrypted data on Amazon Elastic Block Store (Amazon EBS) volumes.
Explanations:
While AWS Secrets Manager provides a way to securely store and manage secrets like certificates, it requires manual updates, which increases operational overhead. Additionally, it does not explicitly mention storing the data in highly available storage, which is required for this scenario.
Using a Lambda function with the Python cryptography library adds unnecessary complexity and operational overhead. Storing the function in an S3 bucket is not appropriate, as Lambda functions should be deployed directly. Furthermore, this solution does not leverage AWS’s built-in encryption capabilities.
Creating a KMS customer managed key allows for secure encryption and decryption operations with minimal operational overhead. Storing the encrypted certificates in Amazon S3 provides high availability and durability. This solution effectively meets all requirements with low maintenance.
While using KMS and EBS provides encryption, Amazon EBS volumes are not inherently designed for high availability in the same way that Amazon S3 is. EBS volumes are tied to specific Availability Zones and can become a single point of failure if not properly managed, making this option less favorable for this scenario.
I think the answer is:
Create an AWS Key Management Service (AWS KMS) customer managed key. Allow the EC2 role to use the KMS key for encryption operations. Store the encrypted data on Amazon S3.