A company uses a data lake that is based on an Amazon S3 bucket. To comply with regulations, the company must apply two layers of server-side encryption to files that are uploaded to the S3 bucket. The company wants to use an AWS Lambda function to apply the necessary encryption.
Which solution will meet these requirements?
The company needs two layers of server-side encryption for compliance. Using both server-side encryption with AWS KMS keys (SSE-KMS) and the Amazon S3 Encryption Client will meet this requirement. SSE-KMS encrypts data at rest and the Amazon S3 Encryption Client can perform an additional layer of encryption before the data is uploaded. This ensures the data is encrypted twice, fulfilling the compliance standards requiring multilayer encryption.
Answer is B
I guess that right answer is - B https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingDSSEncryption.html
B. Use dual-layer server-side encryption with AWS KMS keys (DSSE-KMS). Dual-layer server-side encryption with AWS KMS keys (DSSE-KMS) is specifically designed to apply two layers of encryption to meet regulatory compliance requirements. This ensures that each object stored in Amazon S3 is encrypted twice, providing the additional security layer that the company needs.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/specifying-dsse-encryption.html
Answer is D
Using dual-layer server-side encryption with AWS Key Management Service (AWS KMS) keys (DSSE-KMS) applies two layers of encryption to objects when they are uploaded to Amazon S3. DSSE-KMS helps you more easily fulfill compliance standards that require you to apply multilayer encryption to your data and have full control of your encryption keys.
The solution that will meet these requirements is Option A: Use both server-side encryption with AWS KMS keys (SSE-KMS) and the Amazon S3 Encryption Client. This approach provides two layers of encryption. The first layer is the server-side encryption with AWS KMS keys (SSE-KMS), which encrypts the data at rest. The second layer is the client-side encryption using the Amazon S3 Encryption Client before the data is uploaded to S3. This way, the data is already encrypted when it arrives at S3 and then it gets encrypted again by S3, thus providing two layers of encryption. The other options are not as suitable: Option B: There’s no such thing as dual-layer server-side encryption with AWS KMS keys (DSSE-KMS). Option C: Server-side encryption with customer-provided keys (SSE-C) only provides one layer of encryption. Option D: Server-side encryption with AWS KMS keys (SSE-KMS) also only provides one layer of encryption