AWS Certified Developer - Associate
Get started today
Ultimate access to all questions.
A financial services company aims to protect its customer data by ensuring it is always encrypted while stored in Amazon S3. The company seeks a solution managed by AWS that provides them the ability to fully control the creation, rotation, and removal of the encryption keys.
Given this requirement, as a Developer Associate, which of the following solutions would you recommend to meet this use-case?
A financial services company aims to protect its customer data by ensuring it is always encrypted while stored in Amazon S3. The company seeks a solution managed by AWS that provides them the ability to fully control the creation, rotation, and removal of the encryption keys.
Given this requirement, as a Developer Associate, which of the following solutions would you recommend to meet this use-case?
Explanation:
Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS)
You have the following options for protecting data at rest in Amazon S3:
Server-Side Encryption – Request Amazon S3 to encrypt your object before saving it on disks in its data centers and then decrypt it when you download the objects.
Client-Side Encryption – Encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.
When you use server-side encryption with AWS KMS (SSE-KMS), you can use the default AWS managed CMK, or you can specify a customer-managed CMK that you have already created.
Creating your own customer-managed CMK gives you more flexibility and control over the CMK. For example, you can create, rotate, and disable customer-managed CMKs. You can also define access controls and audit the customer-managed CMKs that you use to protect your data.