You are working for a Pharma firm.
You are using S3 buckets to save a large amount of sensitive project documents for new medical research.
You need to ensure that all data at rest in these buckets are encrypted.
All the keys need to be managed by the in-house Security team.
Which of the following can be used as a best practice to encrypt all data securely?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - A.
Since the In-house security team will do key Management, Customer Managed CMK needs to be used.
Customer-managed CMK will generate plain text Data Key & encrypted Data Keys.
All project-related sensitive documents will be encrypted using these plain text Data Keys.
After encryption, plain text Data keys need to be deleted to avoid any inappropriate use, and encrypted Data Keys and encrypted data are stored in S3 buckets.
Data keys = Plaintext Data Key and Encrypted Data Key.
While decryption, encrypted Data Key is decrypted using Customer CMK into plain text Key, which is further used to decrypt documents.
This Envelope Encryption ensures that data is protected by a Data key, which is further protected by another key.
Option B is incorrect.
Since all keys need to manage by the in-house customer Security team, AWS-managed CMKs cannot be used.
Option C is incorrect as it's not the best practice to save data key files in plain text format.
All plain text data keys should be deleted and only encrypted data keys need to be saved.
Option D is incorrect since all keys need to be managed by the in-house customer Security team.
AWS-managed CMKs cannot be used.
Also, all plain text data keys should be deleted and only encrypted data keys need to be saved.
For more information on AWS KMS, refer to the following URLs-
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys.
https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf.
As a best practice to encrypt all data at rest in S3 buckets, the answer is (A): Generate a data key using Customer managed CMK. Encrypt data with Plaintext data key & delete Plaintext data key. Store Encrypted data key & data in S3 buckets. For decryption, use CMK to decrypt the Encrypted data key into the Plaintext data key & then decrypt data using the Plaintext data key.
Here's why:
The other options (B, C, and D) are not recommended because: