103. Key Management Service (KMS)

Question 1:
A US-based healthcare startup is building an interactive diagnostic tool for COVID-19 related assessments. The users would be required to capture their personal health records via this tool. As this is sensitive health information, the backup of the user data must be kept encrypted in S3. The startup does not want to provide its own encryption keys but still wants to maintain an audit trail of when an encryption key was used and by whom.
Which of the following is the BEST solution for this use-case?
Options:
A. Use SSE-KMS to encrypt the user data on S3
B. Use SSE-S3 to encrypt the user data on S3
C. Use SSE-C to encrypt the user data on S3
D. Use client-side encryption with client provided keys and then upload the encrypted user data to S3
Answer: A
Explanation
Correct option:
Use SSE-KMS to encrypt the user data on S3
AWS Key Management Service (AWS KMS) is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud. When you use server-side encryption with AWS KMS (SSE-KMS), you can specify a customer-managed CMK that you have already created. SSE-KMS provides you with an audit trail that shows when your CMK was used and by whom. Therefore SSE-KMS is the correct solution for this use-case.
Incorrect options:
Use SSE-S3 to encrypt the user data on S3 – When you use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key. However this option does not provide the ability to audit trail the usage of the encryption keys.
Use SSE-C to encrypt the user data on S3 – With Server-Side Encryption with Customer-Provided Keys (SSE-C), you manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption when you access your objects. However this option does not provide the ability to audit trail the usage of the encryption keys.
Use client-side encryption with client provided keys and then upload the encrypted user data to S3 – Using client-side encryption is ruled out as the startup does not want to provide the encryption keys.

Question 2:
A financial services company has developed its flagship application on AWS Cloud with data security requirements such that the encryption key must be stored in a custom application running on-premises. The company wants to offload the data storage as well as the encryption process to Amazon S3 but continue to use the existing encryption key.
Which of the following S3 encryption options allows the company to leverage Amazon S3 for storing data with given constraints?
Options:
A• Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS)
B• Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
C• Client-Side Encryption with data encryption is done on the client-side before sending it to Amazon S3
D• Server-Side Encryption with Customer-Provided Keys (SSE-C)
Answer: D
Explanation
Correct option:
Server-Side Encryption with Customer-Provided Keys (SSE-C)
You have the following options for protecting data at rest in Amazon S3:
Server-Side Encryption – Request Amazon S3 to encrypt your object before saving it on disks in its data centers and then decrypt it when you download the objects.
Client-Side Encryption – Encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.
For the given use-case, the company wants to manage the encryption keys via its custom application and let S3 manage the encryption, therefore you must use Server-Side Encryption with Customer-Provided Keys (SSE-C).
Incorrect options:
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) – When you use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. So this option is incorrect.
Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS) – Server-Side Encryption with Customer Master Keys (CMKs) stored in AWS Key Management Service (SSE-KMS) is similar to SSE-S3. SSE-KMS provides you with an audit trail that shows when your CMK was used and by whom. Additionally, you can create and manage customer-managed CMKs or use AWS managed CMKs that are unique to you, your service, and your Region.
Client-Side Encryption with data encryption is done on the client-side before sending it to Amazon S3 – You can encrypt the data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.