Which solution for encryption keys should a developer use to meet these requirements?

By:
On:
In: DVA-C01
Tagged:
With: 0 Comments
A software company must ensure that documents that are uploaded by users are securely stored in Amazon S3.The documents must be encrypted at rest in Amazon S3.The company wants to avoid client-side encryption and does not want to manage the security infrastructure.In addition, the company wants control over the keys that are used for encryption at rest.

Which solution for encryption keys should a developer use to meet these requirements?

Amazon S3 managed keys

Application-level encryption with customer-provided encryption keys that are stored in an on-premises hardware security module (HSM)

AWS Key Management Service (AWS KMS) customer managed keys

IAM access keys

Explanations:

Amazon S3 managed keys (SSE-S3) are managed by AWS and do not allow customers to control the encryption keys, which does not meet the requirement for control over encryption keys.

Application-level encryption with customer-provided keys requires managing the encryption keys separately, which the company wants to avoid. Additionally, using an on-premises HSM adds unnecessary complexity.

AWS Key Management Service (AWS KMS) customer-managed keys (SSE-KMS) provide control over encryption keys, while AWS manages the infrastructure, aligning with the company’s requirement for key control without managing the security infrastructure.

IAM access keys are used for authentication and authorization, not for encryption. They do not relate to encryption of data at rest in S3.

Leave a Reply

Your email address will not be published. Required fields are marked *

two × five =