Question 28
Domain 5: Data ProtectionA company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key. Which of the following requires the LEAST amount of configuration when implementing this approach?
Correct answer: D
Explanation
AWS KMS lets S3 encrypt objects with unique data keys, so using "server-side encryption with AWS KMS-managed keys (SSE-KMS)" limits the impact of a single exposed key. Keeping "all the files in the same S3 bucket" requires the least configuration because S3 applies encryption automatically at the bucket/object level without managing per-file keys yourself.
Why each option is right or wrong
A. Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different AWS KMS customer managed key.
Multiple buckets and multiple KMS keys add administration overhead without being necessary for per-object protection.
B. Put all the files in the same S3 bucket. Using S3 events as a trigger, write an AWS Lambda function to encrypt each file as it is added using different AWS KMS data keys.
Lambda-based post-processing is custom encryption workflow, far more complex than native S3 server-side encryption.
C. Use the S3 encryption client to encrypt each file individually using S3-generated data keys.
Client-side encryption shifts key handling and encryption logic to the application, increasing configuration effort.
D. Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys (SSE-KMS) to encrypt the data.
Amazon S3 server-side encryption with AWS KMS-managed keys is the native control that satisfies per-object key separation: S3 generates a unique data key for each object and protects it under a KMS key, so one exposed data key does not compromise other files. Under the S3 SSE-KMS model, you only need to enable encryption on the bucket/object upload path; there is no need to build and operate a custom per-file keying scheme, which is why placing the files in one bucket with SSE-KMS requires the least configuration.