PrepAway - Latest Free Exam Questions & Answers

How can the user achieve this?

A storage admin wants to encrypt all the objects stored in S3 using server side encryption. The user does not
want to use the AES 256 encryption key provided by S3. How can the user achieve this?

PrepAway - Latest Free Exam Questions & Answers

A.
The admin should upload his secret key to the AWS console and let S3 decrypt the objects

B.
The admin should use CLI or API to upload the encryption key to the S3 bucket. When making a call to the
S3 API mention the encryption key URL in each request

C.
S3 does not support client supplied encryption keys for server side encryption

D.
The admin should send the keys and encryption algorithm with each API call

Explanation:
AWS S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption
can either have the S3 supplied AES-256 encryption key or the user can send the key along with each API call
to supply his own encryption key. Amazon S3 never stores the user’s encryption key. The user has to supply it
for each encryption or decryption call.

One Comment on “How can the user achieve this?

  1. raduf says:

    D
    Amazon S3 does not store the encryption key you provide. Instead, we store a randomly salted HMAC value of the encryption key in order to validate future requests. The salted HMAC value cannot be used to derive the value of the encryption key or to decrypt the contents of the encrypted object. That means, if you lose the encryption key, you lose the object.




    6



    0

Leave a Reply

Your email address will not be published. Required fields are marked *