Your company has a set of resources defined in AWS.
These resources consist of applications hosted on EC2 Instances.
Data is stored on EBS volumes and S3
The company mandates that all data should be encrypted at rest.
How can you achieve this? Choose 2 answers from the options below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - B and D.
The AWS Documentation mentions the following.
Amazon EBS encryption offers a simple encryption solution for your EBS volumes without the need to build, maintain, and secure your own key management infrastructure.
Server-side encryption protects data at rest.
Server-side encryption with Amazon S3-managed encryption key (SSE-S3) uses strong multi-factor encryption.
Options A and C are incorrect since they have to do with encryption of data in transit, but not at rest.
For more information on EBS Encryption, please refer to the below link-
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.htmlFor more information on S3 server-side encryption, please refer to the below link-
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.htmlTo achieve the requirement of encrypting data at rest for resources in AWS, two options are available:
Enable EBS Encryption: Amazon Elastic Block Store (EBS) encryption provides encryption for EBS volumes. When the EBS volume is encrypted, the data stored on the EBS volume is also encrypted at rest. This means that even if an unauthorized person gains access to the EBS volume, they cannot read the data without the decryption key. EBS encryption uses AWS Key Management Service (KMS) to manage encryption keys. To enable EBS encryption, follow the below steps:
Enable S3 server-side Encryption: Amazon S3 Server-Side Encryption provides encryption for data stored in S3. Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) provides automatic server-side encryption using the AES-256 encryption algorithm. When data is uploaded to S3, it is encrypted using a unique key and then decrypted when accessed. To enable S3 server-side encryption, follow the below steps:
Therefore, the correct answers for achieving the requirement of encrypting data at rest are: Enable EBS Encryption and Enable S3 server-side Encryption.