FlexiToner Uses AWS for Data Exploration and Data Lake Services
Question
FlexiToner uses AWS to query 10 years' worth of historical data and get results, with the flexibility to explore data for deeper insights.
Movable Ink provides real-time personalization of marketing emails based on a wide range of user, device, and contextual data, driving higher response rates and better customer experiences.Also FlexiToner hosts log files captured from web servers running out of different EC2 machines FlexiToner has lot of data assets available in structured, semi-structured and unstructured data forms containing emails, logs, structured data from databases in csv files with formats in CSV, LOG, JSON and binary formats like Parquet and ORC.FlexiToner is interested to build a data lake out of all the files stored on S3 and provide Data Lake as a service to users from different departments based on pay per queries run.
FlexiToner understands that Athena provides this facility OOTB.Security plays a major role in FlexiToner and wants to enable end to end data encryption for all the data that is being accessed through Athena for both data in S3 and also encrypted results. Select 3 options.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer: A, D, E.
Here requirement is: End to end data encryption.
Option A is correct.
Server-side encryption SSE with an Amazon S3-managed key SSE-S3 for encrypted dataset in Amazon S3 and for encrypted query results on S3 data is already encrypted at rest and it talks about, a transfer from S3 is always encrypted and the output is from query result is rencrypted.
So, it talks about the end to end encryption and hence this option is correct.
Athena supports the following Amazon S3 encryption options, both for encrypted datasets in Amazon S3 and for encrypted query results:
· Server side encryption (SSE) with an Amazon S3-managed key (SSE-S3)
· Server-side encryption (SSE) with a AWS Key Management Service customer managed key (SSE-KMS).
· Client-side encryption (CSE) with a AWS KMS customer managed key (CSE-KMS)
https://docs.aws.amazon.com/athena/latest/ug/encryption.html#encryption-options-S3-and-AthenaOption B is incorrect.
Server side encryption SSE with an Amazon S3-managed key SSE-S3 for encrypted datasets in Amazon S3
It does not talk about encryption in the dataset at Athena.
So this is not the correct possible solution.
Option C is incorrect.
Client-side encryption with AWS KMS customer managed key CSE-KMS for encrypted query results.
It does not talk about encryption in the dataset at Athena.
So this is not the correct possible solution.
The correct options are A, B, and D.
FlexiToner wants to enable end-to-end data encryption for all the data being accessed through Athena, both for data in S3 and for encrypted query results. Here are the explanations for the three correct options:
A. Server-side encryption (SSE) with an Amazon S3-managed key (SSE-S3) for encrypted datasets in Amazon S3 and for encrypted query results: This option provides encryption for both data at rest and in transit. SSE-S3 is a server-side encryption mechanism that uses AES-256 encryption with Amazon S3-managed keys. When data is uploaded to S3, it is automatically encrypted using SSE-S3. When data is requested through Athena, it is decrypted on the fly using the same SSE-S3 key. This provides end-to-end encryption for data accessed through Athena.
B. Server-side encryption (SSE) with an Amazon S3-managed key (SSE-S3) for encrypted datasets in Amazon S3: This option provides encryption for data at rest in S3 only. When data is uploaded to S3, it is automatically encrypted using SSE-S3. When data is requested through Athena, it is decrypted on the fly using the same SSE-S3 key. This option does not provide encryption for query results.
D. Server-side encryption (SSE) with an AWS Key Management Service customer managed key (SSE-KMS) for encrypted datasets in Amazon S3 for encrypted query results: This option provides encryption for both data at rest and in transit. SSE-KMS is a server-side encryption mechanism that uses AWS KMS customer-managed keys for encryption. When data is uploaded to S3, it is automatically encrypted using SSE-KMS. When data is requested through Athena, it is decrypted on the fly using the same SSE-KMS key. This provides end-to-end encryption for data accessed through Athena.
Option C, client-side encryption (CSE) with an AWS KMS customer-managed key (CSE-KMS) for encrypted query results, is not a valid option for FlexiToner's requirement of end-to-end encryption for data accessed through Athena. CSE is a client-side encryption mechanism that requires the data to be encrypted before it is uploaded to S3. Since FlexiToner wants to provide a data lake as a service to users, the users will be uploading data to S3, and it is not feasible to require them to encrypt the data before uploading it.
Option E, client-side encryption (CSE) with an AWS KMS customer-managed key (CSE-KMS) for encrypted datasets in Amazon S3 and for encrypted query results, is also not a valid option for FlexiToner's requirement of end-to-end encryption for data accessed through Athena. This option uses CSE-KMS for encrypting data at rest in S3, but does not provide end-to-end encryption for data accessed through Athena.
