How should the developer code the application?
Use the KMS Encrypt API to encrypt the data. Store the encrypted data key and data.
Use a cryptography library to generate an encryption key for the application. Use the encryption key to encrypt the data. Store the encrypted data.
Use the KMS GenerateDataKey API to get a data key. Encrypt the data with the data key. Store the encrypted data key and data.
Upload the data to an S3 bucket using server side-encryption with an AWS KMS key.
Explanations:
The KMS Encrypt API is not the best choice for encrypting data at the application level, as it directly encrypts data but does not provide a means to handle unique keys for each video file. It is better suited for use with data keys generated specifically for encryption.
While using a cryptography library to generate an encryption key is a valid approach, it lacks integration with AWS KMS for key management and protection. This approach does not ensure that the keys are securely managed and may lead to challenges in key rotation and auditing.
This option effectively uses AWS KMS to generate a unique data key for each video file. The data key is then used to encrypt the video data, and both the encrypted data and the encrypted data key are stored. This approach combines strong encryption practices with AWS KMS’s key management capabilities, ensuring secure handling of keys.
Although uploading data to S3 with server-side encryption using an AWS KMS key provides encryption, it does not meet the requirement of encrypting the data within the application prior to storage. This method abstracts the encryption process away from the application, which may not align with the application’s architecture requirements.