What is the MOST secure approach?

By:
On:
In: DVA-C01
Tagged:
With: 0 Comments
A Development team is working on a case management solution that allows medical claims to be processed and reviewed.Users log in to provide information related to their medical and financial situations.As part of the application, sensitive documents such as medical records, medical imaging, bank statements, and receipts are uploaded to Amazon S3.All documents must be securely transmitted and stored.All access to the documents must be recorded for auditing.

What is the MOST secure approach?

Use S3 default encryption using Advanced Encryption Standard-256 (AES-256) on the destination bucket.

Use Amazon Cognito for authorization and authentication to ensure the security of the application and documents.

Use AWS Lambda to encrypt and decrypt objects as they are placed into the S3 bucket.

Use client-side encryption/decryption with Amazon S3 and AWS KMS.

Explanations:

S3 default encryption with AES-256 ensures that data is encrypted at rest, but it does not provide control over encryption keys or meet the need for client-side encryption or auditing of document access.

Amazon Cognito provides user authentication and authorization but does not directly address secure document storage, encryption, or auditing of access to sensitive documents.

Using AWS Lambda to encrypt and decrypt objects as they are uploaded to S3 is a potential approach, but it introduces complexity and does not leverage S3’s native capabilities or integrate with KMS for key management, which is more efficient and secure.

Client-side encryption using AWS KMS offers the highest level of control over encryption keys and ensures that documents are encrypted before they are uploaded to S3. This also enables detailed auditing of document access via AWS CloudTrail, ensuring compliance with security standards.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × 4 =