Using Customer-Provided Keys (SSE-C) for Server-Side Encryption in AWS S3 Bucket
Question
A user has enabled versioning on an S3 bucket.
The user is using server-side encryption for data at Rest.
If the user is supplying his own keys for encryption SSE-C., which of the below mentioned statements is true?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
Option A is incorrect because ideally, you should use different encryption keys for different versions of objects and provide additional security.
Option B is CORRECT because using server-side encryption with customer-provided encryption keys (SSE-C) allows you to set your own encryption keys.
Option C is incorrect because AWS S3 allows users to provide their own encryption keys.
If your bucket is versioning-enabled, each object version you upload using this feature can have its own encryption key.
You are responsible for tracking which encryption key was used for which object version.
Option D is incorrect because SSE-C encryption works even if versioning is enabled.
For more information on client-side encryption, kindly refer to the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.htmlIf a user is using server-side encryption with customer-provided keys (SSE-C) for an Amazon S3 bucket that has versioning enabled, it is possible to have different encryption keys for different versions of the same object. This is because SSE-C uses a separate encryption key for each object version, and the user can choose to use a different key for each version.
SSE-C allows the user to supply their own encryption key to encrypt and decrypt objects stored in Amazon S3. When the user uploads an object to Amazon S3, they include the encryption key in the request headers. Amazon S3 then encrypts the object with the key provided by the user and stores the encrypted object in the bucket.
When versioning is enabled on an S3 bucket, Amazon S3 automatically creates a new version of an object each time it is overwritten or deleted. Each version of an object is uniquely identified by a version ID. When the user uploads a new version of an object, they can supply a different encryption key for that version. This allows the user to rotate encryption keys or revoke access to a specific version of an object without affecting other versions of the same object.
In summary, when using SSE-C with versioning enabled on an S3 bucket, it is possible to have different encryption keys for different versions of the same object. The user can choose to use a different key for each version, allowing for greater security and flexibility in key management.
