Achieving Data Encryption at Rest in AWS

Encrypting Data at Rest in AWS

Q: Your company has a set of resources defined in AWS.These resources consist of applications hosted on EC2 Instances.Data is stored on EBS volumes and S3The company mandates that all data should be encrypted at rest.How can you achieve this? Choose 2 answers from the options below.

Enable EBS Encryption.Enable S3 server-side Encryption.

Prev Question Next Question

Question

Your company has a set of resources defined in AWS.

These resources consist of applications hosted on EC2 Instances.

Data is stored on EBS volumes and S3

The company mandates that all data should be encrypted at rest.

How can you achieve this? Choose 2 answers from the options below.

Answers

A. Enable SSL with the underlying EBS volumes.

B. Enable EBS Encryption.

C. Make sure that data is transmitted from S3 via HTTPS.

D. Enable S3 server-side Encryption.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B and D.

The AWS Documentation mentions the following.

Amazon EBS encryption offers a simple encryption solution for your EBS volumes without the need to build, maintain, and secure your own key management infrastructure.

Server-side encryption protects data at rest.

Server-side encryption with Amazon S3-managed encryption key (SSE-S3) uses strong multi-factor encryption.

Options A and C are incorrect since they have to do with encryption of data in transit, but not at rest.

For more information on EBS Encryption, please refer to the below link-

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

For more information on S3 server-side encryption, please refer to the below link-

https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html

To achieve the requirement of encrypting data at rest for resources in AWS, two options are available:

Enable EBS Encryption: Amazon Elastic Block Store (EBS) encryption provides encryption for EBS volumes. When the EBS volume is encrypted, the data stored on the EBS volume is also encrypted at rest. This means that even if an unauthorized person gains access to the EBS volume, they cannot read the data without the decryption key. EBS encryption uses AWS Key Management Service (KMS) to manage encryption keys. To enable EBS encryption, follow the below steps:
- Create a new AWS KMS key or use an existing one.
- Create a new encrypted EBS volume using this key or encrypt an existing EBS volume.
- Attach the encrypted EBS volume to the EC2 instance.
Enable S3 server-side Encryption: Amazon S3 Server-Side Encryption provides encryption for data stored in S3. Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) provides automatic server-side encryption using the AES-256 encryption algorithm. When data is uploaded to S3, it is encrypted using a unique key and then decrypted when accessed. To enable S3 server-side encryption, follow the below steps:
- Enable encryption when uploading the data to S3 or configure an S3 bucket to enable default encryption for all objects.
- Specify SSE-S3 as the encryption type.
- Amazon S3 encrypts the object using encryption keys managed by AWS KMS.

Therefore, the correct answers for achieving the requirement of encrypting data at rest are: Enable EBS Encryption and Enable S3 server-side Encryption.

Prev Question Next Question