Your company is developing an application that needs to interact with an S3 bucket.
There is a requirement that all data in the bucket is encrypted at rest.
You also need to ensure that you manage the keys.
Which of the following options can you use for this purpose? (Select TWO)
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - C and D.
This is given in the AWS Documentation.
Use Server-Side Encryption with Customer-Provided Keys (SSE-C)
You manage the encryption keys, and Amazon S3 manages the encryption, as it writes to disks and decryption, when you access your objects.
You can encrypt data client-side and upload the encrypted data to Amazon S3
In this case, you manage the encryption process, the encryption keys, and related tools.
Options A and B are incorrect since these keys are managed by AWS.
For more information on Server-side encryption for S3, please refer to the below URL-
https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.htmlSure, I'll explain the options for you:
A. Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3): This option uses encryption keys managed by Amazon S3, which means that Amazon S3 handles the entire encryption process, including key management. In this option, data is encrypted before being stored in S3 and decrypted when accessed. This option is the simplest to use, as you don't need to worry about key management, but it is also the least secure since Amazon S3 manages the keys.
B. Server-Side Encryption with AWS KMS Keys stored in AWS Key Management Service (KMS): This option uses AWS Key Management Service (KMS) to manage encryption keys for the data stored in S3. KMS provides you with more control over the keys than SSE-S3, and you can manage and audit the keys used for encryption. You can also use KMS to create and manage customer master keys (CMKs) for your data in S3, which gives you more control over the encryption process.
C. Server-Side Encryption with with Customer-Provided Keys (SSE-C): This option allows you to provide your own encryption keys, which means that you can manage the keys yourself. In this option, you provide the encryption key to Amazon S3 when you upload the object, and Amazon S3 uses the key to encrypt the object data before storing it. You also need to provide the key when you access the object to decrypt the data.
D. Client-Side Encryption: This option involves encrypting the data before it is uploaded to S3. This option requires you to manage the encryption keys yourself, and you can use any encryption library that supports the Advanced Encryption Standard (AES) algorithm.
So, in summary, options A and B are the correct answers as they both allow you to ensure that all data in the S3 bucket is encrypted at rest and manage the keys. Option C allows you to manage the keys, but you need to provide the encryption key yourself. Option D involves client-side encryption and is not a server-side encryption option.