- You will be using AWS provided KMS solution which provides master keys to encrypt the data while uploading them into S3 bucket.
- You will be using AWS KMS solution to manage the keys, but prefer to use custom master key. And whenever data is uploaded will be encrypted by this custom master key. You will write separate solution to audit the master keys.
- You will be using your own custom master key, which will be managed by AWS KMS, and to encrypt and decrypt the data you will be using separate data key. That data key will be encrypted by your own master key.
- To audit the use of custom master key, you will be using AWS Cloud Trail.
- For audit and compliance purpose you will be using AWS CloudTrail, but you have to write a separate logging solution. And needs to be integrated with mobile application, so that your application logging can be used to monitor the encryption key and same logs will be stored in AWS CloudTrail.
Answer: C, D
Detailed Explanation: In this question following concepts are asked.
- Use of KMS solution, Custom Master Key, Data Key and Logging of encryption key for compliance and auditing.
- Remember following point about KMS
- KMS is a solution for storing and managing master keys. This master key can be provided by you or AWS creates a default masker key for each account and each service by default.
- This master keys cannot be used to encrypt your all the data. Because it can encrypt and decrypt only 4 KB data at a time. Hence, you will be using separate key to encrypt and decrypt the data that is known as data key. Therefore, you will use data key to encrypt the data and encrypted version of this data key will be stored with your data (KMS will not store your data key). Whenever you want to decrypt your data, you first get your data key and decrypt that data key by using master key (either custom or default one as per your preference). Using decrypted data key, you will decrypt your data.
- Remember: Master keys (either custom or default one) will never leave KMS.
- For compliance and auditing: You are using AWS, so Amazon want you to write as less custom solution as possible. Hence, in this case for auditing the use of master key (either custom or default one) will be done by AWS and all the logs will be stored in CloudTrail. You don’t need to audit the use of data key, because without master key data key is not useful.
- Hence, developer has to use AWS SDK and AWS KMS solution in application to encrypt and decrypt the data.
- You can say that KMS is a solution for protecting encryption keys and auditing the use of encryption keys.
Even you can control using IAM, than who can access these master keys stored in KMS.
All AWS Certification Products, Training, Books and PDF you must use are below