Exam AWS Certified Security - Specialty topic 1 question 136 discussion

d seems correct

D is the correct answer. "When you use SSE-KMS to protect your data without an S3 Bucket Key, Amazon S3 uses an individual AWS KMS data key for every object." <<<<<<<<<< https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html#bucket-key-overview And bucket key are no enabled by default.

D. Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys (SSE-KMS) to encrypt the data. This option uses SSE-KMS, but it doesn't provide separate keys for each file. It uses the same KMS key for all objects in the bucket, which doesn't meet the requirement of using different keys for each file. Option C, using the S3 encryption client to encrypt each file individually using S3-generated data keys, is the option that requires the least amount of configuration while still meeting the CISO's requirement for encrypting each file with a different key. This approach is more straightforward and doesn't involve the complex management of separate buckets and keys or writing custom Lambda functions.

D for data keys, it uses KMS to generate the data key and encrypt it, resulting in different encryption key for each object

Server-side encryption will encrypt the data using a unique key. Therefore D, would be a good choice.

the support to my answer https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html D will have so much effort to create KMS keys for individual files

C is wrong because S3 encryption client is a client-side encryption and not requires more configuration than D

To implement the approach of encrypting each file using a different key, the option that requires the least amount of configuration is: C. Use the S3 encryption client to encrypt each file individually using S3-generated data keys. Using the S3 encryption client to encrypt each file individually allows the company to use a different key for each file, without the need to configure multiple S3 buckets or write an AWS Lambda function. The S3 encryption client handles the process of generating and using data keys for each file, which simplifies the configuration process. https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html

https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html SSE-S3 (and not S3-client) and SSE-KMS can do the job ; each object is encrypted with a unique key. But SSE-S3 is not offered as option.

Its D, At first I misread C, Would of failed this at the exam i thought it was server side encryption which would of worked nicely.

D. Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys (SSE-KMS) to encrypt the data.

It is D As per below, S3 server side encryption satisfies customer requirement. https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html “Server-side encryption protects data at rest. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available to encrypt your data, 256-bit Advanced Encryption Standard (AES-256).”

SSE KMS with Aws managed key encrypt data with unique key. And as question states with minimum efforts. So ans D is correct

D doesn't look right option. When you select S3-KMS with AWS managed key then it will create new key in KMS. This same key will be used for every upload.

my advice for the answer comment is please put valid reason with the link for your answer you don't have to repeat the answer simply you need to put a reason to have genuine discussion

D looks correct to me.