AWS Certified Security – Specialty — Question 99

A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key.
Which of the following requires the LEAST amount of configuration when implementing this approach?

Answer options

• A. Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different AWS KMS customer managed key.
• B. Put all the files in the same S3 bucket. Using S3 events as a trigger, write an AWS Lambda function to encrypt each file as it is added using different AWS KMS data keys.
• C. Use the S3 encryption client to encrypt each file individually using S3-generated data keys.
• D. Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys (SSE-KMS) to encrypt the data.

Correct answer: D

Explanation

Option D requires the least amount of configuration as it simplifies the encryption process by using server-side encryption with AWS KMS-managed keys, which is handled automatically by S3. Options A and B involve more complex setups with multiple buckets or Lambda functions, while Option C requires manual encryption of each file, increasing operational overhead.