The company Security team requires that all data uploaded into an Amazon S3 bucket must b…

Question

The company Security team requires that all data uploaded into an Amazon S3 bucket must be encrypted. The encryption keys must be highly available and the company must be able to control access on a per-user basis, with different users having access to different encryption keys.
Which of the following architectures will meet these requirements? (Choose two.)

Accepted Answer

Correct answer: B, D. B. Use Amazon S3 server-side encryption with AWS KMS-managed keys, create multiple customer master keys, and use key policies to control access to them. — D. Use Amazon S3 server-side encryption with customer-managed keys, and use two AWS CloudHSM instances configured in high-availability mode to manage the keys. Use the CloudHSM client software to control access to the keys that are generated. — Option B satisfies the requirements because AWS KMS is inherently highly available, and using multiple CMKs with key policies allows granular, per-user access control. Option D is also correct because configuring two AWS CloudHSM instances in high-availability mode meets the availability requirement, and the CloudHSM client software must be used for key access control since IAM cannot manage internal CloudHSM keys. Option A is incorrect because SSE-S3 does not support granular, user-level key access control, while Options C and E fail because a single CloudHSM is not highly available and IAM cannot control access to keys inside CloudHSM.

AWS Certified Solutions Architect – Professional — Question 893

Answer options

Correct answer: B, D

Explanation