Your Security Team has some security concerns about the application data stored on S3
The team requires you to introduce two improvements: (i) add “encryption at rest” and (ii) give them the possibility to monitor who has accessed the data and when the data have been accessed. Which of the following AWS solution would you adopt to satisfy the requirement?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: D.
Amazon S3 is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon S3
CloudTrail logs successful operations and attempted calls that failed, such as when the caller is denied access to a resource.
Operations on KMS keys in other accounts are logged in both the caller account and the KMS key owner account.
Option A is INCORRECT AWS Certificate Manager is not a solution for encryption at rest.
It is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.
Hence it is a solution for “encryption in transit”, not an “encryption at rest.”
Option B is INCORRECT because SSE-S3 does “encryption/decryption at rest”, but it does not offer monitoring capabilities (who/when encrypts/decrypts).
Option C is INCORRECT because SSE-C does “encryption/decryption at rest”, but it does not offer monitoring capabilities (who/when encrypts/decrypts).
Option D is CORRECT because SSE-KMS does “encryption/decryption at rest” and does offer monitoring capabilities.
CloudTrail captures all API calls to AWS KMS as events, including calls from the AWS KMS console, AWS KMS APIs, the AWS Command Line Interface (AWS CLI), and AWS Tools for PowerShell.
References:
https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html#sse https://docs.aws.amazon.com/kms/latest/developerguide/logging-using-cloudtrail.htmlTo satisfy the security team's requirements, you would need to introduce both encryption at rest and access monitoring for S3 data. AWS offers several solutions to achieve these requirements, but the best choice depends on specific needs, regulatory compliance, and costs.
One solution is to use server-side encryption (SSE) managed by AWS Key Management Service (KMS) and CloudTrail. SSE-KMS provides an added layer of security for data at rest by encrypting the data with keys managed by KMS. KMS provides granular access controls to allow users to encrypt and decrypt data securely, and these keys are auditable via CloudTrail.
CloudTrail allows users to monitor and log API activity in S3, including data access events such as GET, PUT, and DELETE requests. CloudTrail can track who made requests, when requests occurred, and the source IP address. With SSE-KMS, KMS manages the encryption keys, and these keys are also logged in CloudTrail, making it easier to trace data access events.
Therefore, the correct answer is D. Server-Side Encryption managed by KMS (SSE-KMS) with CloudTrail. Option D provides both encryption at rest and monitoring of data access events, meeting the security team's requirements.