Question #634
An application needs to securely store thousands of log files. Each file must be encrypted client-side before storage, with a distinct encryption key for every log file.
How should the developer implement this requirement?
Use the KMS Encrypt API to encrypt each log file. Store the encrypted files and their associated KMS keys.
Generate a single encryption key using a third-party cryptography library. Encrypt all log files with this key. Store the encrypted files and the key.
Invoke the KMS GenerateDataKey API to obtain a unique data key for each log file. Encrypt the files with their respective data keys. Store the encrypted files and their encrypted data keys.
Upload the log files to an S3 bucket configured with client-side encryption using a shared AWS KMS customer master key.
Explanation
The correct answer is C because:
- KMS GenerateDataKey provides a unique data key for each file, ensuring each log file has a distinct encryption key.
- The data key is used to encrypt the file client-side, meeting the encryption requirement.
- The encrypted data key (wrapped by KMS CMK) is stored alongside the file, ensuring secure key management.
Other options fail because:
- A: Uses KMS Encrypt API with the same CMK for all files, violating the 'distinct key' requirement.
- B: Uses a single key for all files, which is insecure and non-compliant.
- D: S3 client-side encryption uses unique data keys, but relies on S3's implementation. The question emphasizes explicit client-side encryption, making C the better choice for developer control.
Key Points: Use KMS GenerateDataKey for unique per-file keys, encrypt data client-side, and store encrypted keys securely.
Answer
The correct answer is: C