Question 2:  You are working as web site developer this website will be hosted on your on premise servers. This application is to collect the taxes as well as other business details like scanned copy of invoices, big financial transaction with customer and counterparty details. Your senior architect wants that all the data submitted through this website needs to be encrypted while transferring to S3 bucket as well as when it is stored in S3 bucket. At the same time he regularly or time to time want to check oe monitor whether encryption is in place or not for the data uploaded in S3. Which of the following solution is the best fit for given requirement?

1. You will be using SSL based solution to send data from your web server to S3 bucket so that data will be encrypted in-transit. For auditing purpose, you will also set a CloudWatch Alarm, for the data uploaded in specific S3 bucket, to check whether data is encrypted or not. If data is not encrypted it will send an alert via email to your senior architect.
2. You will be encrypting the entire S3 bucket, with the encryption keys and store that encryption keys to AWS KMS. To audit the use of encryption keys, you will be writing a logging solution which will write the use of encryption keys regularly on the AWS CloudTrail.
3. You will be using two keys, one is custom master key and another one is data key. And using data key you will be encrypting the data on your web-server. And this data key will be encrypted by your custom master key. And you will save encrypted data key with the data and custom master key on the AWS KMS.
4. You will be using two keys, one is default master key for S3 service and another one is data key. And using data key you will be encrypting the data on your web-server. And this data key will be encrypted by your custom master key. Also both the data key and default master key will be stored on KMS.
5. Your senior manager regularly or time-to-time can check AWS CloudTrail to find whether encryption master keys were used or not.

Correct Answer: C, E

Detailed Explanation : In this question AWS wanted to test the concept of AWS KMS use and auditing of encryption for compliance and regulatory need.

AWS KMS is a solution for storing and managing master keys, these master keys can be provided by customer or created in KMS for the AWS services itself like S3, Redshift etc. Master encryption keys will never leave the KMS, if you are using master keys from KMS. If you are using your custom master keys than you have to store them in KMS. However, please note that master keys are not used for encryption of data. You will be using a separate key, which is known as data key to encrypt the data. So how it works you will use this data key (plain text) to encrypt the data and once data is encrypted you should delete this plain text data key from memory and encrypted version of the data key needs to be saved with the data. Now this data key itself encrypted and decrypted using the master keys. Regarding auditing and compliance need you don’t have to write any specific solution, because whenever you use AWS KMS then Amazon will log the use of this master keys in CloudTrail. And your senior architect or compliance and regulatory department can check the logs from CloudTrail to find whether the encryption is regularly used or not.

Remember, you will never be able to encrypt entire bucket (so whenever, you see such option you can remove as an answer). Only data in the bucket can be encrypted.