Which S3 encryption technique should the Architect use?

An online medical system hosted in AWS stores sensitive Personally Identifiable Information (PII) of the users in an Amazon S3 bucket. Both the master keys and the unencrypted data should never be sent to

AWS to comply with the strict compliance and regulatory requirements of the company .

Which S3 encryption technique should the Architect use?
A . Use S3 client-side encryption with a KMS-managed customer master key.
B . Use S3 client-side encryption with a client-side master key.
C . Use S3 server-side encryption with customer provided key.
D . Use S3 server-side encryption with a KMS managed key.

View Answer

Answer: B

Explanation:

Client-side encryption is the act of encrypting data before sending it to Amazon S3. To enable client-side encryption, you have the following options:

– Use an AWS KMS-managed customer master key.

– Use a client-side master key.

When using an AWS KMS-managed customer master key to enable client-side data encryption, you provide an AWS KMS customer master key ID (CMK ID) to AWS. On the other hand, when you use client-side master key for client-side data encryption, your client-side master keys and your unencrypted data are never sent to AWS. It’s important that you safely manage your encryption keys because if you lose them, you can’t decrypt your data.

This is how client-side encryption using client-side master key works:

When uploading an object – You provide a client-side master key to the Amazon S3 encryption client. The client uses the master key only to encrypt the data encryption key that it generates randomly. The process works like this: