Q55 — AWS DEA-C01 Ch.1
Question 55 of 100 | ← Chapter 1
A company receives call logs as Amazon S3 objects that contain sensitive customer information. The company must protect the S3 objects by Using encryption. The company must also use encryption keys that only specic employees can access. Which solution will meet these requirements with the LEAST effort?
- A. Use an AWS CloudHSM cluster to store the encryption keys. Configure the process that writes to Amazon S3 to make calls to CloudHSM to encrypt and decrypt the objects. Deploy an IAM policy that restricts access to the CloudHSM cluster.
- B. Use server-side encryption with customer-provided keys (SSE-C) to encrypt the objects that contain customer information. Restrict Access to the keys that encrypt the objects.
- C. Use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt the objects that contain customer information. Configure an IAM policy that restricts access to the KMS keys that encrypt the objects. ✓
- D. Use server-side encryption with Amazon S3 managed keys (SSE-S3) to encrypt the objects that contain customer information. Configure an IAM policy that restricts access to the Amazon S3 managed keys that encrypt the objects.
Correct Answer: C. Use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt the objects that contain customer information. Configure an IAM policy that restricts access to the KMS keys that encrypt the objects.
Explanation
AWS S3加密方式中,SSE-KMS(服务器端加密结合AWS KMS密钥)通过KMS服务管理加密密钥,支持基于IAM策略的细粒度访问控制。KMS天然与S3集成,无需额外架构调整或密钥管理基础设施。SSE-C需自行管理密钥分发和访问,增加复杂度;SSE-S3无法独立限制密钥访问权限;CloudHSM需定制加密逻辑和集群维护。根据AWS安全最佳实践,SSE-KMS在密钥管理与访问控制上提供最优自动化程度,符合最小实施成本要求。