A healthcare company stores patient records in Amazon S3. Compliance requires that the data must be encrypted at rest using keys managed by the company, and the company must be able to audit the usage of the encryption keys. Which encryption method should be used?

Answer options:

Server-Side Encryption with Amazon S3 managed keys (SSE-S3)

Server-Side Encryption with AWS KMS keys (SSE-KMS)

Server-Side Encryption with Customer-Provided Keys (SSE-C)

Client-Side Encryption using the AWS Encryption SDK

How to approach this question

Identify the need for 'auditing key usage'. AWS KMS integrates with CloudTrail to provide this exact feature.

B.Server-Side Encryption with AWS KMS keys (SSE-KMS)✓ Correct

Server-Side Encryption with AWS KMS keys (SSE-KMS)

SSE-KMS uses AWS Key Management Service. KMS integrates with CloudTrail, allowing you to audit who used which key and when.

Choosing SSE-S3, which does not provide key usage auditing.

65 questions · hints · full answers · grading