Question #1583
A company is developing a payment processing system and needs to securely store credit card details. The system must ensure that sensitive data remains encrypted at rest and is inaccessible to database administrators. Which solution meets these requirements?
Store data in an Amazon EBS volume encrypted using EBS encryption. Use IAM roles to control access.
Store data in Amazon DynamoDB. Use AWS KMS client-side encryption to encrypt data before storing it. Use IAM policies to restrict access.
Store data in Amazon S3 with server-side encryption using AWS KMS. Use bucket policies to restrict access.
Store data in Amazon RDS for PostgreSQL with Transparent Data Encryption (TDE) enabled. Use database user permissions to restrict access.
Explanation
Answer B is correct because:
- Client-Side Encryption: Encrypting data with AWS KMS before storing in DynamoDB ensures sensitive credit card details are never stored in plaintext, even to database administrators.
- IAM Policies: Restricting access via IAM ensures only authorized roles can decrypt the data, preventing unauthorized access.
Why other options are incorrect:
- A: EBS encryption protects data at rest, but database administrators with EC2 access could still access decrypted data.
- C: S3 server-side encryption (SSE-KMS) encrypts data at rest, but administrators with S3 and KMS access could decrypt it.
- D: RDS TDE encrypts storage, but database administrators can still query decrypted data via the database engine.
Key Points: Client-side encryption ensures data is encrypted before reaching the database, preventing exposure to administrators. Use IAM policies to enforce least privilege.
Answer
The correct answer is: B