Your company is using S3 for the storage of data in the cloud.
They want to ensure that all data in the bucket is encrypted.
Compliance policy specifies that the encryption key must be rotated every year.
Which option meets this requirement with the least overhead?
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.Answer: E.
Option A is incorrect because S3 is not encrypted by default.
Option B is incorrect because you cannot control the key rotation of AWS owned keys.
Option C is incorrect because AWS managed keys are rotated every 3 years.
Option D is incorrect because it should be Server Side Encryption.
Client-Side Encryption is incorrect.
Option E is correct because AWS customer master keys with key rotation are rotated every year.
Option F is incorrect because users have to rotate the AWS customer master key every year manually.
Option E is better.
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.htmlOption A: All S3 data is encrypted by default with a key rotation policy of one year. This option is not valid as AWS does not have a default encryption key rotation policy.
Option B: Enable AES-256 encryption. This option is valid, but it does not include a key rotation policy, which is required by the compliance policy. Also, AES-256 encryption is not managed by AWS KMS, so there is no option to manage the key rotation policy.
Option C: Enable AWS-KMS encryption and specify aws/s3 as the key. This option is valid, but it does not include a key rotation policy, which is required by the compliance policy. The default key that is used in this option is not recommended for production use, and it is not recommended for compliance with regulatory requirements.
Option D: Enable AWS-KMS Client-Side Encryption and specify the customer master key ARN. This option is not valid, as client-side encryption does not provide server-side encryption of the data in the S3 bucket. The key rotation policy for the customer master key in KMS must be managed manually.
Option E: Enable AWS-KMS server-side encryption in S3 and specify the customer master key ARN. Enable key rotation for the customer master key in KMS. This option is the correct answer. By enabling server-side encryption in S3 with AWS-KMS, the data in the bucket is encrypted using a customer master key managed by KMS. The key rotation policy for the customer master key in KMS can be configured to rotate every year, which meets the compliance requirement.
Option F: Enable AWS-KMS server-side encryption in S3 and specify the customer master key ARN. Manually rotate the key on a one-year schedule. This option is valid, but it is not the most efficient. By manually rotating the key, there is an increased risk of error or delay in the key rotation process. Option E is a better choice as it automates the key rotation process.