An IT administrator has been given the task of unloading data from various Redshift tables.
The company has mandated that all data which is unloaded is encrypted at rest.
Which of the following can help accomplish this? Choose 3 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A, C and D.
The AWS Documentation mentions the following.
UNLOAD automatically creates files using Amazon S3 server-side encryption with AWS-managed encryption keys (SSE-S3)
You can also specify server-side encryption with an AWS Key Management Service key (SSE-KMS) or client-side encryption with a customer-managed key (CSE-CMK)
UNLOAD doesn't support Amazon S3 server-side encryption using a customer-supplied key (SSE-C).
For more information on unloading encrypted files, please visit the url.
https://docs.aws.amazon.com/redshift/latest/dg/t_unloading_encrypted_files.htmlThe task is to unload data from Redshift tables and ensure that the unloaded data is encrypted at rest. There are multiple options available in AWS to achieve this, and we need to choose three among them.
A. Use S3 server-side encryption with KMS Keys: When S3 server-side encryption is enabled, S3 encrypts the data at rest using one of the encryption options: AES-256 or AWS KMS-managed keys (SSE-KMS). The encryption keys can be managed by AWS KMS, which provides a highly secure and scalable way to manage and protect the encryption keys. In this option, we can use the KMS keys to encrypt the data unloaded from the Redshift tables.
B. Use S3 server-side encryption with a customer-managed key: In this option, we can use a customer-managed key to encrypt the data unloaded from the Redshift tables. We can use AWS KMS to create and manage the customer-managed keys. With this option, the customer has full control over the encryption keys and can manage them according to their requirements.
C. Use client-side encryption with a customer-managed key: With client-side encryption, the data is encrypted on the client-side before being uploaded to S3. In this option, we can use a customer-managed key to encrypt the data before unloading it from the Redshift tables. The customer can use any encryption library that supports their key management requirements.
D. Use the default AWS Managed encryption: The default AWS Managed encryption for S3 buckets is server-side encryption using AES-256. This option is not recommended because it does not provide customer control over the encryption keys.
In summary, the three options that can help accomplish the task of unloading data from Redshift tables and encrypting the unloaded data at rest are: A. Use S3 server-side encryption with KMS Keys B. Use S3 server-side encryption with a customer-managed key C. Use client-side encryption with a customer-managed key