PdfPrep.com

What should a solutions architect use to accomplish this?

A company is planning to use Amazon S3 lo store images uploaded by its users The images must be encrypted at rest in Amazon S3 The company does not want to spend time managing and rotating the keys, but it does want to control who can access those keys

What should a solutions architect use to accomplish this?
A . Server-Side Encryption with keys stored in an S3 bucket
B . Server-Side Encryption with Customer-Provided Keys (SSE-C)
C . Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
D . Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)

Answer: D

Explanation:

Link: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html

"Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS) is similar to SSE-S3, but with some additional benefits and charges for using this service. There are separate permissions for the use of a CMK that provides added protection against unauthorized access of your objects in Amazon S3. SSE-KMS also provides you with an audit trail that shows when your CMK was used and by whom."

Server-Side Encryption: Using SSE-KMS

You can protect data at rest in Amazon S3 by using three different modes of server-side encryption: SSE-S3, SSE-C, or SSE-KMS.

SSE-S3 requires that Amazon S3 manage the data and master encryption keys. For more information about SSE-S3, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).

SSE-C requires that you manage the encryption key. For more information about SSE-C, see Protecting Data Using Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C).

SSE-KMS requires that AWS manage the data key but you manage the customer master key (CMK) in AWS KMS.

The remainder of this topic discusses how to protect data by using server-side encryption with AWS KMS-managed keys (SSE-KMS).

You can request encryption and select a CMK by using the Amazon S3 console or API. In the console, check the appropriate box to perform encryption and select your CMK from the list. For the Amazon S3 API, specify encryption and choose your CMK by setting the appropriate headers in a GET or PUT request.

https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html#sse

Exit mobile version