Question 3 : You are working as a developer in an investment bank, which had signup partnership with the AWS. You are developing an application which process banks customer personal data as well as all the transaction done by the customer. It is asked to you that this information you store in your  AWS S3 must be encrypted and you don’t have any on-premise key management solution. Your senior architect suggested that you can use AWS KMS solution. Hence, for this requirement which of the below design fit best?

1. You will be creating custom master key and save this key in the KMS. Once it is added in KMS you will delete the local copy of the custom master key. Whenever you need to encrypt the data, you will send you entire data to KMS to get encrypted. Once data is encrypted you can instruct the KMS to store it in Specific S3 bucket.
2. You will be using default master key created by S3 and KMS service. You send your data to KMS to get encrypted. Once data is encrypted it is your responsibility to copy this encrypted data to S3 bucket.
3. You will write a separate service, which intercept any data writing to S3 bucket and get the encryption master keys from KMS and encrypt the data. And then finally store this data to KMS.
4. You will be using default master key created for S3 in KMS to encrypt and decrypt a data key, and using this decrypted data key, you will encrypt your data. Once data is encrypted you delete the decrypted data key. And encrypted version of the master key and data key will be stored in KMS.
5. You will be using default master key created for S3 in KMS to encrypt and decrypt a data key, and using this decrypted data key, you will encrypt your data. Once data is encrypted you delete the decrypted data key. And encrypted version of the data key will be stored with the data in S3.

Correct Answer : E

Detailed Explanation : This question is related to securing data and how do you encrypt the data your receive before storing that data into S3. Yes, you need a key to encrypt your data. As a best design you will never send your data to KMS to get encrypted. Rather you will encrypt data in your application. To encrypt data you need encryption key. KMS has one master key it can default created by S3 service for your account or you can get your own one master key. As name suggest it is a master key and this key is not used to encrypt your dsata. Instead you will be using another key to encrypt the data. Once data is encrypted using data key, you will have encrypted version of the data key, this data key will be encrypted using master key which is in KMS. Remember below important points, which always help you to reach final answer:

1. Master key never leave KMS.
2. Data key will never be stored in KMS.
3. You will send your data key to KMS, which will encrypt the data key.
4. You will be storing encrypted data key with the KMS.
5. Plaint text copy of the data key will be used to actually encrypt and decrypt your data.
6. Once data is encrypted and decrypted using plain data key, then this plain text data key needs to be deleted.