Securing AWS S3 Data: Encryption and Access Monitoring Solutions

Ensuring Data Security: Encryption at Rest and Access Monitoring for AWS S3

Question

Your Security Team has some security concerns about the application data stored on S3

The team requires you to introduce two improvements: (i) add “encryption at rest” and (ii) give them the possibility to monitor who has accessed the data and when the data have been accessed. Which of the following AWS solution would you adopt to satisfy the requirement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: D.

Amazon S3 is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon S3

CloudTrail logs successful operations and attempted calls that failed, such as when the caller is denied access to a resource.

Operations on KMS keys in other accounts are logged in both the caller account and the KMS key owner account.

Option A is INCORRECT AWS Certificate Manager is not a solution for encryption at rest.

It is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.

Hence it is a solution for “encryption in transit”, not an “encryption at rest.”

Option B is INCORRECT because SSE-S3 does “encryption/decryption at rest”, but it does not offer monitoring capabilities (who/when encrypts/decrypts).

Option C is INCORRECT because SSE-C does “encryption/decryption at rest”, but it does not offer monitoring capabilities (who/when encrypts/decrypts).

Option D is CORRECT because SSE-KMS does “encryption/decryption at rest” and does offer monitoring capabilities.

CloudTrail captures all API calls to AWS KMS as events, including calls from the AWS KMS console, AWS KMS APIs, the AWS Command Line Interface (AWS CLI), and AWS Tools for PowerShell.

References:

https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html#sse https://docs.aws.amazon.com/kms/latest/developerguide/logging-using-cloudtrail.html

To meet the security team's requirements, you need to enable encryption at rest and provide auditing capabilities to track who accessed the data and when.

AWS offers several solutions for server-side encryption and monitoring of access to S3 objects.

Option A, AWS Certificate Manager, is not relevant to this use case. It is a service that manages SSL/TLS certificates for websites and other online services.

Option B, server-side encryption managed by S3 (SSE-S3), provides encryption at rest for S3 objects using keys managed by AWS. SSE-S3 uses AES-256 encryption and provides automatic key rotation, making it easy to implement and manage. However, it does not provide detailed auditing capabilities to track who accessed the data and when.

Option C, server-side encryption managed by the customer (SSE-C), allows customers to use their own encryption keys to encrypt data at rest in S3. SSE-C provides greater control over encryption keys and more granular access control but requires more management overhead. Similar to SSE-S3, SSE-C does not provide built-in auditing capabilities.

Option D, server-side encryption managed by KMS (SSE-KMS), provides encryption at rest for S3 objects using keys managed by the AWS Key Management Service (KMS). SSE-KMS offers the benefits of SSE-S3 and SSE-C, including automatic key rotation and granular access control, while also providing detailed auditing capabilities through AWS CloudTrail.

Therefore, the best option to satisfy the security team's requirements is D, Server-Side Encryption managed by KMS (SSE-KMS) with CloudTrail. This solution offers encryption at rest with keys managed by KMS and detailed monitoring of access to S3 objects through CloudTrail.