What is the MOST secure approach?
Use S3 default encryption using Advanced Encryption Standard-256 (AES-256) on the destination bucket.
Use Amazon Cognito for authorization and authentication to ensure the security of the application and documents.
Use AWS Lambda to encrypt and decrypt objects as they are placed into the S3 bucket.
Use client-side encryption/decryption with Amazon S3 and AWS KMS.
Explanations:
S3 default encryption with AES-256 ensures that data is encrypted at rest, but it does not provide control over encryption keys or meet the need for client-side encryption or auditing of document access.
Amazon Cognito provides user authentication and authorization but does not directly address secure document storage, encryption, or auditing of access to sensitive documents.
Using AWS Lambda to encrypt and decrypt objects as they are uploaded to S3 is a potential approach, but it introduces complexity and does not leverage S3’s native capabilities or integrate with KMS for key management, which is more efficient and secure.
Client-side encryption using AWS KMS offers the highest level of control over encryption keys and ensures that documents are encrypted before they are uploaded to S3. This also enables detailed auditing of document access via AWS CloudTrail, ensuring compliance with security standards.
As far as I’m aware, the answer is:
Use client-side encryption/decryption with Amazon S3 and AWS KMS.
I evaluate that the answer is:
Use client-side encryption/decryption with Amazon S3 and AWS KMS.