S3 Quiz
A company is planning to store sensitive documents in an S3 bucket. They want to ensure that documents are encrypted at rest. They want to ensure that they manage the underlying keys which are used for encryption. Which of the following can be used for this purpose? Choose 2 answers from the options given below
A. Use S3 server-side encryption with Customer keys
B. Use S3 client-side encryption
C. Use S3 server-side encryption with AWS managed keys
D. Use S3 server-side encryption with AWS KMS keys with Key policy document of size 40kb.
A. & D.
The AWS Documentation mentions the following
Server-side encryption is about protecting data at rest. Using server-side encryption with customer-provided encryption keys (SSE-C) allows you to set your own encryption keys. With the encryption key you provide as part of your request, Amazon S3 manages both the encryption, as it writes to disks, and decryption, when you access your objects. Therefore, you don’t need to maintain any code to perform data encryption and decryption. The only thing you do is manage the encryption keys you provide.
Options C is incorrect since here you will still not manage the complete lifecycle of the keys.
Options D is incorrect, because the maximum key policy document size is 32kb.
https://docs.aws.amazon.com/kms/latest/developerguide/limits.html
Option E is correct since your own keys can be uploaded to the Key management service.
https://aws.amazon.com/blogs/aws/new-bring-your-own-keys-with-aws-key-management-service/
For more information on Server side encryption with customer keys and Client side encryption, please refer to the below URL
https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
