AWS Certified Security – Specialty — Question 145

An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised.
How can the CISO be assured that AWS KMS and Amazon S3 are addressing the concerns? (Choose two.)

Answer options

• A. There is no API operation to retrieve an S3 object in its encrypted form.
• B. Encryption of S3 objects is performed within the secure boundary of the KMS service.
• C. S3 uses KMS to generate a unique data key for each individual object.
• D. Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.
• E. The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out.

Correct answer: A, C

Explanation

Option A is correct because it ensures that S3 objects cannot be retrieved in their encrypted state, reducing the risk of data exposure. Option C is also correct as it highlights that S3 generates a unique data key for each object, limiting the impact of any potential key compromise. The other options either do not directly address the concerns or suggest practices that could increase risk.