How to Ensure Encryption at Rest for Sensitive Documents in AWS S3 Bucket
Question
Your company is planning to store sensitive documents in a bucket in the Simple Storage service.
They need to ensure that all objects are encrypted at rest in the bucket.
Which of the following can help accomplish this? Choose 2 answers from the options given below.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A and D.
Options B and C are incorrect since these options cannot be used to encrypt the objects.
Using an S3 bucket policy, you can enforce the encryption requirement when users upload objects.
Refer below URL for more details.
https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/The term 'rest' means when data is resting (not in transition - while data is traveling to s3).
Server-side encryption - facilitates encryption at rest.
Client-side encryption - facilitates encryption both in transition and at rest.
You have three options depending on how you choose to manage the encryption keys:
SSE-S3 requires that Amazon S3 manage the data and master encryption keys.
SSE-C requires that you manage the encryption key.
SSE-KMS requires that AWS manage the data key, but you manage the master key in AWS KMS.
For more information, please refer to the following URL-
https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.htmlAmazon S3 default encryption provides a way to set the default encryption behavior for an S3 bucket.
You can set default encryption on a bucket to encrypt all new objects when they are stored in the bucket.
The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or customer master keys (CMKs) stored in AWS Key Management Service (AWS KMS).
For more information on Server - Side encryption, please refer to the below URL-
https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.htmlTo know about default encryption (Option A), please refer to the below URL-
https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.htmlTo ensure that all objects are encrypted at rest in an S3 bucket, two approaches can be taken:
- Enable default encryption for the S3 bucket.
- Use a KMS key to encrypt the objects in the bucket.
A. Enable default encryption for the S3 bucket: AWS S3 provides a feature to enable default encryption for a bucket. This can be done by enabling server-side encryption. Once enabled, any object that is added to the bucket will be automatically encrypted at rest. AWS S3 provides two types of encryption for this purpose, namely:
SSE-S3 (Server-Side Encryption with Amazon S3-managed keys): This is the default encryption type provided by S3. It encrypts objects using AES-256 encryption and manages the encryption keys for you.
SSE-KMS (Server-Side Encryption with AWS KMS-managed keys): This type of encryption allows you to use your own encryption keys to encrypt objects in S3.
B. Use a KMS key to encrypt the objects in the bucket: AWS KMS (Key Management Service) can be used to create and manage encryption keys that can be used to encrypt objects in S3. By using a KMS key, you have more control over the encryption process, and you can audit and manage access to the keys.
C. The bucket ACL is not used for encrypting objects at rest in an S3 bucket. The ACL is used to set permissions for the objects in the bucket.
D. Changing the bucket configuration to use a KMS key is one of the ways to encrypt objects at rest in an S3 bucket.
Therefore, options A and D are the correct answers to ensure that all objects are encrypted at rest in an S3 bucket.
