How should the Developer code the application?
Use the KMS Encrypt API to encrypt the data. Store the encrypted data key and data.
Use a cryptography library to generate an encryption key for the application. Use the encryption key to encrypt the data. Store the encrypted data.
Use the KMS GenerateDataKey API to get a data key. Encrypt the data with the data key. Store the encrypted data key and data.
Upload the data to an S3 bucket using server side-encryption with an AWS KMS key.
Explanations:
Using the KMS Encrypt API directly encrypts data but does not address the need for a unique data key per file, which is better managed by generating a data key for each encryption. Additionally, storing only the encrypted data key and data without separating the key generation from the encryption process lacks efficiency and security best practices.
While using a cryptography library to generate an encryption key is a valid approach, it does not leverage the security benefits of AWS KMS for managing encryption keys. Furthermore, without storing a separate data key or using unique keys for each file, this method may lead to key management challenges and lacks the advantage of using KMS for secure key storage and access control.
This option correctly utilizes the KMS GenerateDataKey API to generate a unique data key for each video file. The data key is used to encrypt the video data, and both the encrypted data and the encrypted data key are stored, providing an effective approach to manage unique encryption keys securely. This method enhances security and allows for efficient key management.
Uploading data to an S3 bucket with server-side encryption using an AWS KMS key is a suitable solution for encryption but does not fulfill the requirement for unique keys for each video file, as it relies on a single KMS key for all objects in the bucket. This does not align with the need for individual encryption keys per file.