Enable End-to-End Data Encryption for Improved Security | HikeHills
Question
HikeHills.com (HH) is an online specialty retailer that sells clothing and outdoor refreshment gear for trekking, go camping, boulevard biking, mountain biking, rock hiking, ice mountaineering, skiing, avalanche protection, snowboarding, fly fishing, kayaking, rafting, road and trace running, and many more. HHruns their entire online infrastructure on java based web applications running on AWS.
The HH is capturing click stream data and use custom-build recommendation engine to recommend products which eventually improve sales, understand customer preferences and already using AWS Kinesis Streams API and Agents to collect events and transaction logs and process the stream.
The event/log size is around 12 Bytes. The data transformation and conversion is applied using kinesis firehose and stored in S3
Since the data captured is sensitive, HH is looking to enable encryption end to end for all the data sources.
The data processed through kinesis firehose is captured from Kinesis Stream and other data sources though kinesis agent, firehose API, etc.
How can this be enabled? select 2 options.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A,D.
Enable server-side data encryption when you use Amazon Kinesis Data Firehose.
The data encryption can be enabled through two modes.
Server-Side Encryption with Kinesis Data Streams as the Data Source using AWS Key Management Service (AWS KMS) key before storing the data at rest.
Server-Side Encryption with Direct PUT or Other Data Sources using StartDeliveryStreamEncryption operation.
https://docs.aws.amazon.com/firehose/latest/dev/encryption.htmlTo enable end-to-end encryption for all data sources captured by HikeHills.com, the following two options can be used:
A. Server-Side Encryption with Kinesis Data Streams as the Data Source: This option involves using server-side encryption to encrypt the data captured by Kinesis Data Streams, which is the primary data source for HikeHills.com. Server-side encryption is a process where the data is encrypted by the server before storing it in S3. To implement this option, HikeHills.com can configure their Kinesis Data Streams to use server-side encryption, and enable the same for the Kinesis Firehose, which is used for data transformation and storage in S3. The encryption key can be managed using AWS Key Management Service (KMS), which provides a highly secure and reliable way to create and manage encryption keys.
D. Server-Side Encryption with Direct PUT or Other Data Sources: This option involves using server-side encryption to encrypt the data captured by other data sources, such as Kinesis Agents, Direct PUT, and Firehose API. Similar to the previous option, HikeHills.com can configure these data sources to use server-side encryption and manage the encryption keys using AWS KMS. This will ensure that all the data captured by these sources is encrypted before being stored in S3.
B. Client-Side Encryption with Kinesis Data Streams as the Data Source: This option involves using client-side encryption to encrypt the data captured by Kinesis Data Streams, which is the primary data source for HikeHills.com. Client-side encryption is a process where the data is encrypted by the client before it is sent to the server. To implement this option, HikeHills.com can configure their Kinesis Data Streams to receive encrypted data from the clients and enable the same for the Kinesis Firehose. The encryption key can be managed using AWS KMS.
C. Client-Side Encryption with Direct PUT or Other Data Sources: This option involves using client-side encryption to encrypt the data captured by other data sources, such as Kinesis Agents, Direct PUT, and Firehose API. HikeHills.com can configure these data sources to receive encrypted data from the clients and manage the encryption keys using AWS KMS.
In summary, options A and D involve server-side encryption, while options B and C involve client-side encryption. For end-to-end encryption, both the data source and the destination (S3 in this case) should be encrypted. Therefore, options A and D are the most suitable for HikeHills.com as they ensure that all data sources are encrypted before being stored in S3.
