A team is planning on uploading multiple data sets onto AWS.
These data sets will be queries using JDBC drivers from existing BI tools.
There is a requirement that all data sets are encrypted at rest.
They want to ensure that they manage the underlying keys which are used for encryption.
Which of the following can be used for this purpose? Choose 3 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer - A, B and E.
The AWS Documentation mentions the following.
Server-side encryption is about protecting data at rest.
Using server-side encryption with customer-provided encryption keys (SSE-C) allows you to set your own encryption keys.
With the encryption key you provide as part of your request, Amazon S3 manages both the encryption, as it writes to disks, and decryption, when you access your objects.
Therefore, you don't need to maintain any code to perform data encryption and decryption.
The only thing you do is manage the encryption keys you provide.
Client-side encryption is the act of encrypting data before sending it to Amazon S3
To enable client-side encryption, you have the following options:
Use an AWS KMS-managed customer master key.
Use a client-side master key.
Options C and D are incorrect since here you will still not manage the complete lifecycle of the keys.
Option E is correct, please check below AWS Docs for more details:
https://aws.amazon.com/blogs/aws/new-bring-your-own-keys-with-aws-key-management-service/For more information on Server side encryption with customer keys and Client side encryption, please refer to the below URL.
https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.htmlThe team needs to upload multiple data sets onto AWS and ensure that they are encrypted at rest. They also want to manage the underlying keys which are used for encryption.
The following AWS services can be used for this purpose:
A. Use S3 server-side encryption with Customer keys: With this option, the team can provide their own encryption keys to S3 to encrypt the data. S3 will use these keys to encrypt the data at rest, and will not store the keys themselves. This ensures that the team has full control over the keys used for encryption, but they are also responsible for managing the keys securely.
C. Use S3 server-side encryption with AWS managed keys: With this option, S3 will use its own managed keys to encrypt the data at rest. The team will not have control over the keys used for encryption, but they can rely on AWS to manage the keys securely.
D. Use S3 server-side encryption with AWS KMS keys: With this option, the team can use AWS Key Management Service (KMS) to manage the keys used for encryption. They can create their own keys in KMS or use the default keys provided by AWS. S3 will use these keys to encrypt the data at rest, and the team can manage the keys in KMS.
E. Use S3 server-side encryption with AWS KMS keys with the keys uploaded by the company to KMS: With this option, the team can upload their own encryption keys to KMS and use them to encrypt the data at rest in S3. They can also use KMS to manage the keys securely.
B. Use S3 client-side encryption: With this option, the team can use client-side encryption to encrypt the data before uploading it to S3. This means that the data is already encrypted when it is uploaded to S3, and S3 will not have access to the encryption keys. However, this option requires additional effort and may not be the most efficient for large data sets.
In summary, the three recommended options are:
The team should evaluate the trade-offs between control, security, and complexity when choosing the appropriate encryption option.