Question #2026
A healthcare analytics firm needs to process sensitive patient data collected from multiple partners. The data is stored in a relational database, and the firm must apply complex transformations before loading the results into Amazon S3. All data must be encrypted during processing using customer-specific keys, and the solution must minimize operational overhead.
Which approach meets these requirements MOST effectively?
Use separate AWS Glue jobs for each partner. Configure each job with server-side encryption using Amazon S3 managed keys (SSE-S3) to encrypt the output data.
Deploy dedicated Amazon EMR clusters for each partner. Apply client-side encryption with custom-managed keys (CSE-Custom) to encrypt data during processing.
Use separate AWS Glue jobs for each partner. Configure each job with client-side encryption using AWS KMS keys (CSE-KMS) to encrypt data during processing.
Deploy dedicated Amazon EMR clusters for each partner. Apply server-side encryption with AWS KMS keys (SSE-KMS) to encrypt the output data.
Explanation
Option C is correct because:
- AWS Glue is serverless, reducing operational overhead compared to managing EMR clusters (Options B/D).
- Client-Side Encryption with KMS (CSE-KMS) ensures data is encrypted during processing using customer-specific keys, meeting security requirements.
Why other options are incorrect:
- A: Uses SSE-S3 (Amazon-managed keys), not customer-specific keys.
- B/D: EMR clusters require more operational effort, and D only encrypts output (SSE-KMS), not during processing.
Key Points:
1. Use serverless services (e.g., AWS Glue) to minimize operational overhead.
2. Client-Side Encryption (CSE) with KMS ensures encryption during processing and storage with customer-managed keys.
3. SSE encrypts data at rest, not during processing.
Answer
The correct answer is: C