Meeting Compliance Policies for S3 Bucket Encryption
Question
A company continuously generates sensitive records that it stores in an S3 bucket.
All objects in the bucket are encrypted using SSE-KMS using one of the company's CMKs.
Company compliance policies require that no more than one month of data be encrypted using the same encryption key. What solution below will meet the company's requirements?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because you can use a Lambda function to create a new key and then update the S3 bucket to use the new key.
Option B is incorrect because AWS KMS cannot rotate keys on a monthly basis.
Option C is incorrect because deleting the old key means that you cannot access the older objects.
Option D is incorrect because rotating the key material is not possible.
Remember not to delete the old key.
Else you will not be able to decrypt the documents stored in the S3 bucket using the older key.
For more information on AWS KMS keys, kindly refer to the URL below.
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.htmlThe correct answer to this question is option C: Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK, updates the S3 bucket to use the new CMK, and deletes the old CMK.
Explanation:
SSE-KMS encryption is a server-side encryption method that uses customer-managed CMKs to encrypt data at rest in S3 buckets. The company in this scenario is using SSE-KMS to encrypt all objects in their S3 bucket, which is a good practice for securing sensitive data. However, their compliance policy requires that no more than one month of data be encrypted using the same encryption key. This means that they need to rotate their encryption keys at least once a month.
Option A, triggering a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK, is not sufficient to meet the company's requirements because it does not delete the old CMK. If the old CMK is not deleted, data that was encrypted with it will not be accessible with the new CMK, creating potential data loss or unavailability.
Option B, configuring the CMK to rotate the key material every month, is not the best solution because it may not meet the company's compliance policies. The compliance policy requires that no more than one month of data be encrypted using the same encryption key, which does not guarantee that the CMK's key material will be rotated every month.
Option D, triggering a Lambda function with a monthly CloudWatch event that rotates the key material in the CMK, is not the best solution because it only rotates the key material in the existing CMK. This means that the same CMK will be used to encrypt data every month, which may not meet the company's compliance policies.
Option C, triggering a Lambda function with a monthly CloudWatch event that creates a new CMK, updates the S3 bucket to use the new CMK, and deletes the old CMK, is the best solution because it creates a new CMK every month, updates the S3 bucket to use the new CMK, and deletes the old CMK. This ensures that no more than one month of data is encrypted using the same encryption key, meeting the company's compliance policies.
In summary, rotating encryption keys is a good practice for securing sensitive data, and option C is the best solution for this scenario.
