AWS Athena Data Encryption: Custom and Generic Encryption Options | BDS-C00 Exam | Amazon

AWS Athena Data Encryption

Question

A company has a large number of datasets that are being sent over to S3 for storage.

They want their Data science team to query the data using the AWS Athena service.

There is the additional requirement for ensuring the data is encrypted at rest.

When it comes to the encryption, the following are the key requirements Custom Keys are used for encryption for one central data set Generic Encryption is used for all other data sets Which of the following would you use to fulfil this requirement? Choose 2 answers from the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E. F.

Answer - B and E.

The AWS Documentation mentions the following.

Athena supports the following Amazon S3 encryption options, both for encrypted datasets in Amazon S3 and for encrypted query results:

Server side encryption with an Amazon S3-managed key (SSE-S3)

Server-side encryption with a AWS KMS-managed key (SSE-KMS).

Client-side encryption with a AWS KMS-managed key (CSE-KMS)

Option A is incorrect since there is a requirement for custom keys to be used for the central data set.

Options C ,D and F are incorrect since Athena does not support either option.

For more information on encryption with Athena, please refer to the below URL.

https://docs.aws.amazon.com/athena/latest/ug/encryption.html

To fulfill the requirement of encrypting data at rest in S3, there are two options available for the one central data set:

Option A: S3 Server-side Encryption for the one central data set with S3 Managed Keys: This option enables server-side encryption using S3 managed keys for the one central data set. With this option, the data is encrypted using a unique set of keys, which is managed by Amazon S3. S3 managed keys are generated and managed by Amazon S3, so there is no need for the user to manage any encryption keys. However, this option does not provide the customization needed for a specific key.

Option B: S3 Server-side Encryption for the one central data set with KMS Managed Keys: This option enables server-side encryption using KMS managed keys for the one central data set. With this option, the data is encrypted using a unique set of keys managed by AWS Key Management Service (KMS). KMS allows the user to create and manage customer master keys (CMKs), which can be used to encrypt and decrypt data in S3. This option provides the customization needed for a specific key.

For all other data sets, there are also two options available:

Option E: S3 Server-side Encryption for the other data sets with S3 Managed Keys: This option enables server-side encryption using S3 managed keys for all other data sets. With this option, the data is encrypted using a unique set of keys, which is managed by Amazon S3. S3 managed keys are generated and managed by Amazon S3, so there is no need for the user to manage any encryption keys.

Option F: S3 Server-side Encryption for the other data sets with client-side Managed Keys: This option enables server-side encryption using client-side managed keys for all other data sets. With this option, the data is encrypted using a unique set of keys that are managed by the client. The user can generate and manage the encryption keys used to encrypt and decrypt data in S3.

Option C and D are not relevant to this requirement because they deal with client-side encryption which is not needed here.

Therefore, the correct options are A and B for the one central data set and E or F for all other data sets.