Your company hosts critical data in an S3 bucket.
There is a requirement to ensure that all data is encrypted.
The metadata about the information stored in the bucket needs to be encrypted as well.
Which of the below measures would you take to ensure that the metadata is encrypted?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: C.
Options A, B and D are incorrect because when the S3 bucket objects are encrypted, the metadata is not encrypted.
Option C is CORRECT because when the S3 bucket objects are encrypted, the metadata is not encrypted.
So the best option is to store the metadata in the DynamoDB table and encrypt using AWS KMS during the table creation process.
For more information on using KMS encryption for S3, please refer to the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.htmlThe correct answer is B. Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server KMS encryption.
Explanation: Amazon S3 provides server-side encryption to encrypt the data at rest. When you enable server-side encryption on your S3 bucket, Amazon S3 encrypts all new objects you upload to the bucket using encryption keys. The S3 server-side encryption provides two options for managing encryption keys: S3-managed keys (SSE-S3) or customer-provided keys (SSE-C).
However, the S3 server-side encryption only encrypts the data payload of the object, not the metadata. Metadata is data about your object that describes the object, such as object creation date, modification date, size, and custom metadata. To encrypt the metadata as well, you need to use the AWS Key Management Service (KMS) with server-side encryption.
You can use the S3 server-side encryption with KMS to protect both the data and metadata. When you use this option, Amazon S3 first encrypts the object data with S3-managed keys or customer-provided keys and then encrypts the S3-managed encryption key itself with a master key from AWS KMS. The encrypted key is then stored alongside the object metadata in S3.
Therefore, the correct answer is B. Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server KMS encryption. This ensures that both the data and metadata are encrypted using S3 Server-side encryption with AWS KMS. Option A is incorrect because it only enables S3 Server-side encryption, which does not encrypt metadata. Option C is incorrect because it suggests storing metadata in DynamoDB, which is a NoSQL database service, and encrypting the table only encrypts the table data, not metadata. Option D is incorrect because it does not suggest any encryption mechanism for metadata.