Which solution will meet these requirements?

By:
On:
In: SOA-C02
Tagged:
With: 0 Comments
A company is building an interactive application for personal finance.The application stores financial data in Amazon S3, and the data must be encrypted.The company does not want to provide its own encryption keys.However, the company wants to maintain an audit trail that shows when an encryption key was used and who used the key.

Which solution will meet these requirements?

Use client-side encryption with client-provided keys. Upload the encrypted user data to Amazon S3.

Use server-side encryption with S3 managed encryption keys (SSE-S3) to encrypt the user data on Amazon S3.

Use server-side encryption with customer-provided encryption keys (SSE-C) to encrypt the user data on Amazon S3.

Use server-side encryption with AWS KMS managed encryption keys (SSE-KMS) to encrypt the user data on Amazon S3.

Explanations:

Client-side encryption with client-provided keys does not meet the requirement for maintaining an audit trail of key usage, as the company manages the keys and there is no AWS service involved in the logging.

SSE-S3 uses AWS managed keys for encryption, but it does not provide a detailed audit trail of key usage and access, as it lacks granular logging of who accessed or used the encryption key.

SSE-C uses customer-provided encryption keys, but it does not automatically provide an audit trail of key usage via AWS services. Key management and logging must be done outside of S3.

SSE-KMS uses AWS Key Management Service (KMS) managed keys, which automatically provide an audit trail of who used the key and when, through AWS CloudTrail logs. This satisfies both encryption and audit requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 + eighteen =