Question #745
A security engineer is configuring encryption for sensitive financial records stored in Amazon S3. Regulatory compliance mandates that all access to the encryption keys must be logged, including the identities of users and the time of key usage. Which encryption method satisfies these requirements?
Server-side encryption with Amazon S3 managed keys (SSE-S3)
Server-side encryption with AWS KMS managed keys (SSE-KMS)
Server-side encryption with customer-provided keys (SSE-C)
Server-side encryption with self-managed keys
Explanation
The correct answer is B: Server-side encryption with AWS KMS managed keys (SSE-KMS).
Why SSE-KMS?
AWS Key Management Service (KMS) integrates with AWS CloudTrail to log all cryptographic operations involving KMS keys. This includes details such as:
- User identity (IAM user/role) accessing the key
- Timestamp of the access
- API operation performed (e.g., Decrypt, GenerateDataKey)
These logs are critical for compliance audits, as they provide a trail of who used the encryption keys and when.
Why Other Options Fail:
- A (SSE-S3): Uses S3-managed keys, but AWS does not provide granular access logs for these keys. Only S3 object access logs (via S3 access logging) are available, not key usage.
- C (SSE-C): Customer-provided keys are not managed by AWS, so AWS cannot log access to these keys.
- D (Self-managed keys): This is ambiguous but typically refers to client-side encryption or non-KMS server-side keys. Neither option provides AWS-managed logging of key access.
Key Points to Remember:
- SSE-KMS enables auditing via CloudTrail.
- Regulatory requirements for key access logging are only met when KMS is used.
- SSE-S3/SSE-C lack detailed key access audit trails.
Answer
The correct answer is: B