Amazon SAP-C02: Use Amazon S3 with bucket policy to enforce HTTPS, server-side encryption and AWS KMS for object encryption.

Question

A company is migrating an application to AWS. It wants to use fully managed services as much as possible during the migration. The company needs to store large important documents within the application with the following requirements:

1. The data must be highly durable and available
2. The data must always be encrypted at rest and in transit
3. The encryption key must be managed by the company and rotated periodically

Which of the following solutions should the solutions architect recommend?

A. Deploy the storage gateway to AWS in file gateway mode. Use Amazon EBS volume encryption using an AWS KMS key to encrypt the storage gateway volumes.
B. Use Amazon S3 with a bucket policy to enforce HTTPS for connections to the bucket and to enforce server-side encryption and AWS KMS for object encryption.
C. Use Amazon DynamoDB with SSL to connect to DynamoDB. Use an AWS KMS key to encrypt DynamoDB objects at rest.
D. Deploy instances with Amazon EBS volumes attached to store this data. Use EBS volume encryption using an AWS KMS key to encrypt the data.

Answer

B. Use Amazon S3 with a bucket policy to enforce HTTPS for connections to the bucket and to enforce server-side encryption and AWS KMS for object encryption.

Explanation

The correct solution that meets all the requirements for storing large important documents with high durability, availability, and encryption is:

B. Use Amazon S3 with a bucket policy to enforce HTTPS for connections to the bucket and to enforce server-side encryption and AWS KMS for object encryption.

Let’s elaborate on this solution and explain why it fulfills the specified requirements:

1. Use Amazon S3 for storing large important documents:
   Amazon S3 (Simple Storage Service) is a fully managed object storage service that provides high durability and availability for storing and retrieving any amount of data at any time. It is a highly scalable service that can handle large volumes of data, making it suitable for storing large documents.
2. Enforce HTTPS connections to the S3 bucket:
   By configuring an S3 bucket policy to enforce HTTPS connections, the company ensures that all connections to the bucket are encrypted in transit. This helps protect data from potential eavesdropping or interception during transfer.
3. Enforce server-side encryption using AWS KMS:
   With server-side encryption, all objects stored in the S3 bucket are automatically encrypted at rest. By using AWS Key Management Service (AWS KMS), the company can manage the encryption keys securely. This ensures that the data remains encrypted even when it’s at rest in the S3 bucket, providing an additional layer of security.
4. Rotate the encryption key periodically:
   AWS KMS allows for easy rotation of encryption keys. The company can set up a key rotation policy to automatically rotate the encryption keys periodically, meeting the requirement for key rotation.

Benefits of this solution:

• Fully managed service: Amazon S3 is a fully managed service, reducing the operational overhead and administrative burden on the company.
• High durability and availability: Amazon S3 provides high durability, replicating data across multiple availability zones, ensuring that data is highly available even in case of hardware failures or outages.
• Encryption at rest and in transit: The solution enforces encryption both in transit (HTTPS connections) and at rest (server-side encryption), meeting the security requirements.
• Key management and rotation: AWS KMS enables the company to manage the encryption keys securely and rotate them periodically to enhance security.

In summary, using Amazon S3 with a bucket policy to enforce HTTPS connections and server-side encryption using AWS KMS provides a secure, highly durable, and fully managed solution for storing large important documents while meeting all the specified requirements.

Reference

• Storage – Overview of Amazon Web Services
• Data Protection and Privacy | AWS (amazon.com)
• AWS Managed Services (amazon.com)
• Data protection in Amazon S3 – Amazon Simple Storage Service
• Data Encryption – Introduction to AWS Security (amazon.com)
• Cloud Storage on AWS (amazon.com)

Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.