KPL (Kinesis Producer Library) and consumed by the Kinesis Consumer Library (KCL). And KCL submitting this data to Redshift Cluster from this point onwards, Data Analytics team read logs data to applying Machine
Learning on it. However, as per the security team all the data received must be encrypted at rest and key should not be managed in-house for encryption and decryption of the data. How can you achieve this?
1. You will be using Client Side Encryption.
2. You will be using SSL/TLS protocol when data is transferred.
3. You will be using server side encryption.
4. You will be enable CloudHSM for the key and enable the encryption for the stream.
Correct Answer : 3 Exp : In this question there are two basic requirements.
1. How to encrypt data at rest.
2. How to get managed solution for the encryption key.
When you need a managed solution of the encryption key than AWS KMS solution is the best option available. However, by looking at the option you can see there is no option specifically mention the KMS. But when you
see the option server side encryption, it means before saving the data, it will encrypt the data. And it would remain encrypted at rest. And for encrypting this data, AWS uses the KMS based CMK. Hence, keys are
managed by the AWS only. So that, it is the ideal solution satisfying both the requirement.
SSE (Server Side Encryption) is available for the Kinesis Data Stream which automatically encrypts the data before it is saved and it encrypts the data using AWS KMS master key (CMK) specified by you. Data would be
encrypted before it is written to the Kinesis Storage Layer and decrypted while reading from the storage layer. And if you are using SSE, then it is not your headache to maintain the KMS CMK.
3
