Securing Data at Rest and in Transit in AWS | Exam Preparation

Securing Data at Rest and in Transit in AWS

Prev Question Next Question

Question

An IT company wants to secure its resources in its AWS Account.

Which of the following options would secure data at rest and in transit in AWS? (SELECT THREE)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answers - A, B and C.

AWS documentation mentions the following.

Amazon EBS encryption offers you a simple encryption solution for your EBS volumes without the need for you to build, maintain, and secure your own key management infrastructure.

When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted.

Data at rest inside the volume.

All data moving between the volume and the instance.

All snapshots created from the volume

Data protection refers to protecting data while in transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers)

You can protect data in transit by using SSL or by using client-side encryption.

You have the following options of protecting data at rest in Amazon S3.

Use Server-Side Encryption - You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects.

Use Client-Side Encryption - You can encrypt data client-side and upload the encrypted data to Amazon S3

In this case, you manage the encryption process, the encryption keys, and related tools.

You can create a load balancer that uses the SSL/TLS protocol for encrypted connections (also known as SSL offload)

This feature enables traffic encryption between your load balancer and the clients who initiate HTTPS sessions and connections between your load balancer and your EC2 instances.

For more information on securing data at rest, please refer to the below link-

https://d0.awsstatic.com/whitepapers/aws-securing-data-at-rest-with-encryption.pdf

Sure, I can provide you with a detailed explanation of the options that would secure data at rest and in transit in AWS.

A. Encrypt all EBS volumes attached to EC2 Instances: Encrypting EBS volumes attached to EC2 instances will ensure that the data stored on those volumes is protected at rest. This means that even if an unauthorized user gains access to the underlying physical storage, they will not be able to read the data without the encryption key. Therefore, encrypting EBS volumes is an essential step in securing data at rest in AWS.

B. Use Server-Side Encryption for S3: Amazon S3 (Simple Storage Service) is a popular storage service in AWS, used to store and retrieve any amount of data from anywhere on the web. Enabling server-side encryption on S3 buckets ensures that data is encrypted at rest, while also providing control over who can access the encrypted data. S3 offers several options for server-side encryption, including SSE-S3, SSE-KMS, and SSE-C.

C. Use SSL/HTTPS when using the Elastic Load Balancer: The Elastic Load Balancer (ELB) is a service that automatically distributes incoming application traffic across multiple targets, such as EC2 instances, containers, and IP addresses. Using SSL/HTTPS with ELB ensures that data is encrypted in transit between the clients and the load balancer, as well as between the load balancer and the targets. This adds an additional layer of security to your applications and helps prevent unauthorized access to sensitive data.

D. Use IOPS Volumes when working with EBS Volumes on EC2 Instances: Input/Output Operations Per Second (IOPS) is a measure of the maximum number of read/write operations that can be performed on an EBS volume in a given time frame. Using IOPS volumes with EBS volumes on EC2 instances can improve performance and throughput while also ensuring that data is written securely to the storage.

Therefore, options A, B, and C would secure data at rest and in transit in AWS, while option D relates to performance rather than security.