Which approach MOST efficiently meets the company’s needs?
Use the AWS Encryption SDK and set the maximum age to 10 days and the maximum number of messages encrypted to 2^16. Use AWS Key Management Service (AWS KMS) to generate the master key and data key. Use data key caching with the Encryption SDK during the encryption process.
Use AWS Key Management Service (AWS KMS) to generate an AWS managed CMK. Then use Amazon S3 client-side encryption configured to automatically rotate with every object.
Use AWS CloudHSM to generate the master key and data keys. Then use Boto 3 and Python to locally encrypt data before uploading the object. Rotate the data key every 10 days or after 2^16 objects have been uploaded to Amazon S3.
Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and set the master key to automatically rotate.
Explanations:
This option utilizes the AWS Encryption SDK, which can set constraints for maximum key age and number of objects encrypted. It also employs AWS KMS for key generation, ensuring compliance with regulatory requirements while efficiently caching data keys to minimize the frequency of key generation. This approach balances the need for key rotation with performance, making it suitable given the upload rate of 100 objects per second.
While AWS KMS can generate managed CMKs, using client-side encryption that rotates keys for every object does not meet the requirements for key age (10 days) and maximum number of objects (2^16). This approach could lead to excessive key generation, increasing complexity and costs without adhering to the specified constraints.
This option suggests using AWS CloudHSM to generate keys, which is a valid method but may introduce additional complexity and costs. The process of encrypting data before uploading and manually managing the rotation every 10 days or after 2^16 objects could lead to human error and inefficiency, especially given the high upload rate.
SSE-S3 with automatic master key rotation does not allow for the control needed over key age or the number of objects encrypted. The keys managed by S3 are not FIPS-validated, and this approach does not meet the specific regulatory requirement for key exhaustion, rendering it unsuitable for the company’s needs.