Which solution is the most secure and cost-effective option to protect the sensitive data?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data.Pattern:”randomID_datestamp_PII.csv”Example:”1234567_12302017_000-00-0000 csv”The bucket where these objects are being stored is using server-side encryption (SSE).

Which solution is the most secure and cost-effective option to protect the sensitive data?

Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.

Add an S3 bucket policy that denies the action s3:GetObject

Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.

Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.

Explanations:

While removing sensitive data from the object name is a good approach, storing sensitive data in S3 user-defined metadata is still risky as it may not be encrypted at rest or in transit.

Denyings3:GetObjectmay restrict unauthorized access, but it does not address the issue of sensitive data within the object key itself, which can still be exposed in logs or metadata.

Using a random and unique S3 object key and creating an encrypted metadata index in DynamoDB ensures that sensitive data is neither stored in the object name nor exposed unintentionally.

Storing objects as BLOBs in an encrypted RDS instance would be more costly and complex, and it doesn’t leverage S3’s scalable storage capabilities effectively.

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen + sixteen =