Question #1067
An AWS Lambda function generates a 4 MB CSV file daily and uploads it to an Amazon S3 bucket. The file contains sensitive data, so the developer must ensure it is encrypted before being stored in the bucket.
Which of the following changes should the developer implement to ensure the data is encrypted prior to upload?
Use the default AWS Key Management Service (AWS KMS) key for Amazon S3 in the Lambda function code.
Use an S3 managed key and call the GenerateDataKey API to encrypt the file.
Invoke the GenerateDataKey API, encrypt the file with the data key in the Lambda function code, and include the encrypted data key.
Use an AWS Key Management Service (AWS KMS) customer managed key for Amazon S3 in the Lambda function code.
Explanation
The question requires encrypting sensitive data before it is stored in S3. Option A uses the default AWS KMS key (SSE-KMS) by setting encryption headers in the Lambda function. This ensures S3 encrypts the object server-side upon upload, fulfilling the requirement.
Other options are incorrect because:
- B: S3 managed keys (SSE-S3) don't use GenerateDataKey, which requires KMS. This method is invalid.
- C: Client-side encryption with GenerateDataKey is unnecessary here. The question doesn't mandate client-side encryption, and SSE-KMS suffices.
- D: While using a customer-managed KMS key (SSE-KMS) is valid, the question doesn't require a custom key. The default KMS key (A) is simpler and meets the requirement.
Key Points:
- Server-side encryption (SSE-KMS) encrypts data at rest in S3.
- Specifying SSE-KMS headers during upload ensures encryption before storage.
- Default KMS key (aws/s3) is automatically available, requiring no additional setup.
Answer
The correct answer is: A