Question

Your Security Team has some security concerns about the application data stored on S3

The team requires you to introduce two improvements: (i) add “encryption at rest” and (ii) give them the possibility to monitor who has accessed the data and when the data have been accessed. Which of the following AWS solution would you adopt to satisfy the requirement?

A. AWS Certificate Manager with CloudTrail.

B. Server-Side Encryption managed by S3 (SSE-S3) with CloudTrail.

C. Server-Side Encryption managed by customer (SSE-C) with CloudTrail.

D. Server-Side Encryption managed by KMS (SSE-KMS) with CloudTrail

Answer 1

Answer: D.

Amazon S3 is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon S3

CloudTrail logs successful operations and attempted calls that failed, such as when the caller is denied access to a resource.

Operations on KMS keys in other accounts are logged in both the caller account and the KMS key owner account.

Option A is INCORRECT AWS Certificate Manager is not a solution for encryption at rest.

It is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.

Hence it is a solution for “encryption in transit”, not an “encryption at rest.”

Option B is INCORRECT because SSE-S3 does “encryption/decryption at rest”, but it does not offer monitoring capabilities (who/when encrypts/decrypts).

Option C is INCORRECT because SSE-C does “encryption/decryption at rest”, but it does not offer monitoring capabilities (who/when encrypts/decrypts).

Option D is CORRECT because SSE-KMS does “encryption/decryption at rest” and does offer monitoring capabilities.

CloudTrail captures all API calls to AWS KMS as events, including calls from the AWS KMS console, AWS KMS APIs, the AWS Command Line Interface (AWS CLI), and AWS Tools for PowerShell.