Encryption Technique for Legal Documents in Amazon S3 Bucket and S3 Glacier

Correct Answer: C.

For objects stored in the Amazon S3 bucket, there are four ways for encryption at rest,

SSE-S3

SSE-KMS.

SSE-C.

Client-side encryption.

With SSE-KMS, there is an additional benefit of getting audit trails for CMKS which are used for encryption & also get details of users accessing these CMKs.

For all data stored in Amazon S3 Glacier, encryption is by default enabled using keys managed by AWS.

Option A is incorrect as with encryption using SSE-S3, an audit trail for CMKs used for encryption is not possible.

Options B & D are incorrect as with Amazon S3 Glaciers, all files are encrypted using AWS managed keys.

For more information on encryption at rest for Amazon S3 & S3 Glacier, refer to the following URL,

https://d0.awsstatic.com/whitepapers/AWS%20Storage%20Services%20Whitepaper-v9.pdf

The legal firm wants to store legal documents in Amazon S3 buckets and have configured lifecycle policies to move old files to Amazon S3 Glacier. The Security Team is concerned about encrypting these files in both the Amazon S3 bucket and S3 Glacier. Additionally, they want an audit trail for CMKs used for accessing the objects in the S3 bucket and users using these CMKs.

In this scenario, the SysOps administrator needs to implement encryption techniques to secure the data in both Amazon S3 and S3 Glacier. They also need to provide an audit trail for the CMKs used to access the objects in the S3 bucket and the users using these CMKs.

Option A proposes to implement encryption using SSE-S3 for objects stored in the Amazon S3 bucket, while for S3 Glacier, all files are encrypted with keys managed by AWS. SSE-S3 stands for Server-Side Encryption with Amazon S3-managed keys. In this technique, the encryption keys are managed by AWS, and the user does not have to worry about key management. This technique provides encryption at rest and protects data against unauthorized access. However, it does not provide an audit trail for CMKs used to access the objects in the S3 bucket and users using these CMKs.

Option B proposes to implement encryption using SSE-S3 for objects stored in the Amazon S3 bucket, while for S3 Glacier, use SSE-C encryption. SSE-C stands for Server-Side Encryption with Customer-provided keys. In this technique, the user manages the encryption keys and provides them to AWS during object upload. This technique provides encryption at rest and allows the user to manage the encryption keys. However, it does not provide an audit trail for CMKs used to access the objects in the S3 bucket and users using these CMKs.

Option C proposes to implement encryption using SSE-KMS for objects stored in the Amazon S3 bucket, while for S3 Glacier, all files are encrypted with keys managed by AWS. SSE-KMS stands for Server-Side Encryption with AWS KMS-managed keys. In this technique, the encryption keys are managed by AWS Key Management Service (KMS), which allows users to create, manage, and use encryption keys. This technique provides encryption at rest and allows the user to manage the encryption keys. Additionally, it provides an audit trail for CMKs used to access the objects in the S3 bucket and users using these CMKs, which meets the Security Team's requirements.

Option D proposes to implement encryption using SSE-KMS for objects stored in the Amazon S3 bucket, while for S3 Glacier, use SSE-C encryption. As discussed above, SSE-KMS provides encryption at rest and allows the user to manage the encryption keys. However, it provides an audit trail for CMKs used to access the objects in the S3 bucket and users using these CMKs, which meets the Security Team's requirements. Therefore, this option is not suitable.

In conclusion, option C is the most appropriate option as it provides the required encryption at rest and audit trail for CMKs used to access the objects in the S3 bucket and users using these CMKs.