Exam ANS-C00 topic 1 question 11 discussion

Its BE, cloudfront can do field level encrytion using KMS, ALB can't use KMS

Answer: B, E Have the website write PII to S3 via CLoudFront/Lambda@Edge into an S3 bucket, encrypted using KMS keys. Have the website call for the PII via CloudFront/Lambda@Edge, using KMS to decrypt the S3 objects. A - incorrect - huh? B - correct C - incorrect - If the EC2 instance uses a role to encrypt the PII, it must also use that same role to decrypt the PII - thus storing it in whatever system effectively gives it access read the data D - incorrect - (sort of) - HTTPS is also possible via CloudFront, which makes this answer redundant E - correct - KMS to encrypt/decrypt https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/

Correct Answer CE

Answer - CE Customer is not manually entering their information rather it's been fed through a customer website (so customer side sql data encryption is valid) and application on AWS receives this encrypted data and production server can decrypt it with right IAM permission on the KMS key (CMK - Customer Managed Key).

https://aws.amazon.com/blogs/security/how-to-protect-sensitive-data-for-its-entire-lifecycle-in-aws/

Answer B and E

Why would you need CloudFront to do encryption? The question clearly says "all aspects of personally identifiable information (PII) must be encrypted at all times and as soon as possible after receipt"...first part satisfied by ALB that encrypts the data at transit and then inside the VPC its KMS. So have no idea why most are looking at Cloudfront. Its clearly D and E

B: "... as soon as possible after receipt" means that data needs to be processed at edge E: KMS for encryption

Everyone agreed to E. So, let's look at B or D B. Amazon CloudFront using AWS Lambda@Edge - I have a website (No one knows static or dynamic. But they are using EC2). In order do this, I will have to use CloudFront with Lambda@Edge + EC2 + S3. Wah. Technically can. But why? D. Application Load Balancer using HTTPS listeners and targets - In my web application (Deployed at EC2 with IAM Role 'xxx'), I will use AWS SDK in my code and as soon as data hits I will encrypt with KMS. I can also ensure that the IAM role attached with EC2 won't have decrypt permission. For this requirement: “A single service within the production VPC must decrypt the PII by leveraging an IAM role.” - There is NO solution in the answer.

Everyone agreed to E. So, let's look at B or D B. Amazon CloudFront using AWS Lambda@Edge - I have a website (No one knows static or dynamic. But they are using EC2). In order do this, I will have to use CloudFront with Lambda@Edge + EC2 + S3. Wah. Technically can. But why? D. Application Load Balancer using HTTPS listeners and targets - In my web application (Deployed at EC2 with IAM Role 'xxx'), I will use AWS SDK in my code and as soon as data hits I will encrypt with KMS. I can also ensure that the IAM role attached with EC2 won't have decrypt permission. For this requirement: “A single service within the production VPC must decrypt the PII by leveraging an IAM role.” - There is NO solution in the answer. But atleast I won't select Lamda@Edge as its not running in my production VPC.

BE 1. Use the field-level encryption feature offered by CloudFront. 2. KMS to encrypt/decrypt https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/ https://aws.amazon.com/blogs/security/how-to-enhance-the-security-of-sensitive-customer-data-by-using-amazon-cloudfront-field-level-encryption/ Though LambdaEdge would also required but the Best & nearest answer is B&E.

The answers are C and E Consider below embedded statement; “specifically encrypted at all times and as soon as feasible when received” This implies that some kind of encryption mechanism when data is at rest. So for that C ( MySQL TDE) is most appropriate. Then there is a question of how we encrypt it, the catch phrase here is “IAM” which is E.

B. Amazon CloudFront using AWS Lambda@Edge E. AWS Key Management Services

After reading the information on below link, it is crystal clear that the answer is BE https://aws.amazon.com/blogs/security/how-to-protect-sensitive-data-for-its-entire-lifecycle-in-aws/

Answer is B and E for me.

Clearly A is one of the answers, but not sure about the other one... B is not necessary because Lambda ENI may access SQS service via IGW or VPC Service Endpoint for SQS. C is also not necessary because we may use NAT Gateway/Instance or again VPC Service Endpoint for SQS. D may be true, as ElasticCache cluster's SG must allow outbound access to the Lambda ENI. I would go for AD then... Still the only 100% right answer for me is A though.

If one takes a look at the "Sample application architecture and data flow" diagram given in https://aws.amazon.com/blogs/security/how-to-enhance-the-security-of-sensitive-customer-data-by-using-amazon-cloudfront-field-level-encryption/, it becomes clear that Amazon CloudFront is where the encryption should take place as it satisfies the requirement of "...personally identifiable information (PII) elements are specifically encrypted at all times and as soon as feasible when received". While database could be part of the architecture (as it is shown in the same diagram), it comes after.