Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 454 discussion

Answer D AWS KMS Custom master key will allow to create a key policy which will define uses/roles to access the master key

I picked D. A & B are irrelevant since the data is already in AWS RDS, thus client-side encryption cannot be used. Out of C & D, I picked D. Simply because having a CMK means you can use resource-based policies to restrict access to the key. This means, if you can't access the key, you can't decrypt the data.

Customer managed keys is better. The KMS keys that you create are customer managed keys. Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the KMS keys, and scheduling the KMS keys for deletion. https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html

The question is talking about inaccessible to IT personnel means it is already stored and at rest. So, no question about in transit and no need to talk about client side encryption. So, the choice is between C and D. and I would go with D due to customer managed key where the customer has full control.

I think there should be a difference meaning between the 2 terms as CMK (Customer Master Key) and Customer Managed Key? Here is my understanding. Customer Managed Key means customer to generate its own CMK using KMS Svc and such CMK is only kept within KMS Svc and cannot be fetched by the client App. CMK is used to encrypt/decrypt the Data Encryption Key DEK whereby such DEK can be fetched by the client App.

IMO: C because of the guaranteed access (no custom access control) & RDS allows both key types. https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html

D seems good.

Customer Key Managed

Amazon RDS encrypted DB instances provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. The AWS Encryption SDK is a client-side encryption library that enables developers to focus on the core functionality of their application while adhering to security best practices. The AWS Encryption SDK also integrates with KMS.

ITs D. There are 3 main things: 1.Encryption in flight using SSl/TLS certificates 2.Encryption at rest->using Client side encryption, meaning sending encrypted data into AWS. Encryption/decryption managed at client end. 3.Encryption at rest-> Server Side Encryption ie encryption happens after data reaches AWS. This can be done using AWS and its KMS service. ========= KMS is a service that manages encryption keys('Customer Master keys',not Data keys).A 'data key' is used to encrypt the actual data data.CMK is basically used to protect the data key which is used for encrypting data.To decrypt the data,one calls the KMS service and uses the CMK to decrypt the 'data key'.Once we have the decrypted(plaintext) data key, we use the same to decrypt the actual data. ======

Can someone please assist with the following? why use cmk and not AWS key? I cant find the answer lease

Well D for today.

D https://aws.amazon.com/blogs/database/securing-data-in-amazon-rds-using-aws-kms-encryption/

C https://aws.amazon.com/about-aws/whats-new/2015/01/06/amazon-rds-encryption-with-kms-mysql-postgresql/

B ! https://aws.amazon.com/blogs/database/performing-sql-database-client-side-encryption-for-multi-region-high-availability/

Ans : d : RDS can be encrypted by CMKs. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html

B. I guess when they mean IT staff they meant DBA, for DBA not to see the data, you need to encrypt the data in the application itself aka Client side encryption other encryption methods DBA will be able to see the data, my 2 cents as DBA. :0)