Question 11: You have been working with data which is quite sensitive and you use AWS S3 bucket to store that data with the encrypted version. Also you want to make sure who can encrypt and decrypt data with highly granular level of access control also same data needs to be uploaded in Redshift cluster in encrypted form. Which of the below approach is more suitable in this requirement.

1. You will be using single AWS managed CMK to encrypt and decrypt the data as well as attach key policies for granular control.
2. You will be using two separate AWS managed CMK one for S3 and other one for Redshift cluster and attach key policy to the keys for granular level of access control.
3. You will be using single Customer managed CMK for encrypt and decrypt the data.
4. You will be using AWS managed CMK with multi-factor-authentication enabled.

Correct Answer : C

Detailed Explanation:  In this question AWS wants to know your basic understanding between Customer Managed and AWS managed CMK. You must know that

• For different services you have to use different AWS managed CMK. Hence, option 1 is out.
• You cannot have granular level of access control for AWS managed CMK. Hence, option 1 and 2 is out.
• If you want granular level of access to keys than you should use Customer Managed CMK and in this case option 3 is the only one seems to be correct. Because option 4 is also talking about AWS managed CMK.