A company is building an application in the AWS Cloud. The application will store data in Amazon S3 buckets in two AWS Regions. The company must use an AWS Key Management Service (AWS KMS) customer managed key to encrypt all data that is stored in the S3 buckets. The data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions.
Which solution will meet these requirements with the LEAST operational overhead?
To meet the requirement of using a customer-managed key to encrypt data in S3 buckets across two AWS Regions with the least operational overhead, you need to use a multi-region KMS key that can encrypt and decrypt data across regions seamlessly. Creating a customer-managed KMS key and an S3 bucket in each region, and configuring the S3 buckets to use server-side encryption with AWS KMS keys (SSE-KMS), ensures the same key material is available in both regions. This method minimizes operational overhead by eliminating the need for additional key management and ensuring compatibility between regions.
KMS Multi-region keys are required https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
Absoutely D is the right one because s3 kms multi region as an individual key so you must first decrypt in source bucket and then re-encrypt in target bucket
Each set of related multi-Region keys has the same key material and key ID, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS.
The SAME key would exist in both regions
Answer is D : This option aligns with the requirement to use a customer-managed KMS key for encryption. It also ensures that the same KMS key is used for encryption and decryption across both AWS Regions, as required. By using SSE-KMS, you can ensure that encryption keys are managed by AWS KMS, providing greater control and security over the encryption process. Configuring replication between the S3 buckets ensures that data is synchronized across both regions. This approach minimizes operational overhead while meeting the specified requirements.
It’s not correct because the question asks for server side encryption, not client side (before the objects reach the bucket).
It says encrypt all data and the data originates from the application. Making it B
KMS multi-region keys are typically used when you need to enable cross-Region replication of encrypted data
I'd say D because multi-region keys can be used with server side encryption as well. "Multi-Region keys are supported in the AWS KMS console, the AWS KMS API, the AWS Encryption SDK, Amazon DynamoDB Encryption Client, and Amazon S3 Encryption Client. AWS services also let you configure multi-Region keys for server-side encryption in case you want the same key to protect data that needs both server-side and client-side encryption." https://aws.amazon.com/blogs/security/encrypt-global-data-client-side-with-aws-kms-multi-region-keys/
Cannot be A - question says customer managed key Cannot B - client side encryption is operational overhead Cannot C -as it says SSE-S3 instead of customer managed so the answer is D though it required one time setup of keys
fun joke, if u dont do encryption on client side, where else could it be?
It could be server side. For client side, the application need to finish the encryption and decryption by itself. So S3 object encryption on the server side is less operational overhead. https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html But for option B, the major issue is if you create KMS keys in 2 regions, they can not be the same.
Sorry for the typo, I mean option D.
The data in both S3 buckets must be encrypted and decrypted with the same KMS key. AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. "as though" means it's different. So I agree with B
key change across regions unless you use multi-Region keys
B includes replicating the data in the S3 buckets, which is not mentioned anywhere in the stem. It says that you need to store data in two buckets, not that you need to replicate content between buckets.
All the choices involve replication between the buckets.
How does client side encryption increase OPERATIONAL overhead? Do you think every connected client is sitting there with gpg cli, decrypting/encrypting every packet that comes in/out? No, it's done via SDK -> https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html The correct answer is B because that's the only way to actually get the same key across multiple regions with minimal operational overhead
"The data in both S3 buckets must be encrypted and decrypted with the same KMS key" Client side encryption means that key is generated in from the cient without storing that in the KMS...
Kindly point at where server-side encryption support multi-region. It is only mention on the aws blog that client-side support multi-region.
The question specifically says to use client managed keys and not client side encryption.
I think the answer was all stated clear in the question per sya. " The data and the key must be stored in each of the two Regions." make it really clear it's either C or D. Since the customer "must use AWS kMS customer managed key to encrypt all data...", the answer should be D.
https://aws.amazon.com/getting-started/hands-on/replicate-data-using-amazon-s3-replication/ https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html Basically, from two sources above, none mention to use KMS Multi Region (Option B), and client-side encryption. Option C is not really valid because SSE-S3 is AWS managed not customer managed. Option D is the most logical and straightforward solution, you can create customer managed SSE-KMS.
D support Multi region key, use aws KMS (less overhead)
B for sure
B is correct because we should use multi-region key in this case.
going for D because the question says it needs a customer managed KMS key which equals SSE-KMS
B also have SSE- KMS
B is correct
Its likely to be option B as it is the only option that mentions KMS multi region Keys. Multi region keys can also be used for client side encryption. Also CSE means the object will be encrypted before it reaches S3 bucket and will be decrypted after the object is fetched from S3 bucket, so while in S3 bucket it stays in encrypted status.
Can't be B as the question requires SSE and not CSE
Both B & D have their own problems , C, it was ok with multi region KMS key since we need the same key for both regions , but the problem is it says client side encryption , Using KMS is server side encryption from the beginning. D, it says to create S3 bucket and KMS key in each region, that means the two key for the two region are not the same cause we create for each region. but the question asked to use the same key.
It has to be D, Client-side encryption requires additional handling within the application code, increasing operational overhead if we go with option B. So with option of elimination, next best option is D.
SSE encryption is not required and multi-region keys support client side encryption, so the correct answer is B
C - The question implies that the Data AND Key must be in EACH of the two Regions
he sayed "The company must use an Key Management Service (AWS KMS) customer managed key" B. is using client side encryption not even aws key Right... ??