also a guideline, if data stored outside of the corporate data center it should be encrypted and all the encryption keys should be managed by company only. Which of the following are ideal solution for the given
requirement?
A. You will be using Server Side Encryption.
B. You will be using Client Side Encryption
C. You will be using CloudHSM (Hardware security management)
D. You will be using SSE using Customer Managed CMK
E. You will be using SSE using AWS Managed CMK
1. A,B
2. B,C
3. B,D
4. D,E
5. A,E
Correct Answer : 3 Exp : As question is saying data to be encrypted when they are stored in AWS, S3 bucket. Also there is a constraint that encryption key should be managed by the company itself. There is a way, you
can enable the server side encryption for the data and encryption key will be managed by the customer. What does it mean? Before saving data in S3 bucket, it will be encrypted using the CMK. However, there are two
ways for getting the CMK. One is AWS managed CMK and another is customer managed CMK. Here, we dont want to use AWS provided CMK, rather go for Customer Managed CMK. Hence, option D is correct and option-A is not
correct. Because in option-A it is clearly saying that we will be using the Server Side Encryption but does not tell anything about the CMK (And by default it will use the AWS Managed CMK). Hence, option-A does not
give the control on the Key to be used.
Another correct option is option-B, Client Side Encryption. It means you encrypt the data and then upload that encrypted data in S3 bucket. Hence, it is a responsibility of the company to encrypt the data as well as
managing the keys.
All other options like C and E are not correct as well.
3
