Exam AWS Certified Security - Specialty topic 1 question 119 discussion

B is answer

Let look at the constraints and what fulfill them: company to generate its own keys: SSE-KMS & SSE-C both fulfill this. without needing to manage encryption process: SSE-KMS & SSE-C both fulfill this. without needing to manage key storage: Only SSE-KM fulfills this. Correct answer is B.

C is not correct because with SSE-C you need to manage the encryption keys that you provide

With SSE-S3, Amazon S3 manages the encryption keys and encrypts all data stored in your bucket with a unique key. With SSE-KMS, you maintain control over the encryption keys and can rotate them periodically for enhanced security. B

With C you need to manage storage.

To ensure that the sensitive data is encrypted at rest in Amazon S3 and enable the company to generate its own keys without needing to manage key storage or the encryption process, the security engineer should use server-side encryption with customer-provided keys (SSE-C). With SSE-C, the security engineer can provide their own keys, which are used to encrypt and decrypt the data as it is written to and read from Amazon S3. The keys are stored and managed by the company, rather than being managed by Amazon S3 or AWS KMS. This allows the company to have full control over the key management process and ensure that the keys are stored in a secure manner.

B- Customer Managed C- Customer Provided The question is talking about customer managed hence B is the correct answer.

Its B, although C seems very tempting. explanation for B (when you want to CREATE the key not necessarily providing your own key) If you use KMS keys, you can use AWS KMS through the AWS Management Console or the AWS KMS APIs to do the following: Centrally create KMS keys Define the policies that control how KMS keys can be used Audit their usage to prove that they are being used correctly explanation for C (used when you want to provide your own key) Server-side encryption is about protecting data at rest. Using server-side encryption with customer-provided encryption keys (SSE-C) allows you to set your own encryption keys. With the encryption key you provide as part of your request, Amazon S3 manages the encryption as it writes to disks and decryption when you access your objects. Therefore, you don't need to maintain any code to perform data encryption and decryption. The only thing you do is manage the encryption keys you provide. https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html

B is very correct!

B is absolutely correct, C is wrong because it requires storing and managing the Key by Clients: "When you use server-side encryption with AWS KMS (SSE-KMS), you can use the default AWS managed key, or you can specify a customer managed key that you have already created."

I go for option C as well.

The correct answer to this question would be SSE-KMS Customer Managed Key. But none of the option provides that. it's difficult to understand why would it be option "C" as question requires without managing the keys.

CAN I HAVE THIS IN MY EXAM？

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys B

B is the answer C is out because You manage a mapping of which encryption key was used to encrypt which object. Amazon S3 does not store encryption keys. You are responsible for tracking which encryption key you provided for which object.

Answer B. Requirement: "..company to generate its own keys without needing to manage key storage or the encryption process."" SSE-KMS does use CMK, which fulfil "company generate its own keys". SSE-C is out because: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html "You manage a mapping of which encryption key was used to encrypt which object. Amazon S3 does not store encryption keys. You are responsible for tracking which encryption key you provided for which object."

c https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html