An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised.
How can the CISO be assured that AWS KMS and Amazon S3 are addressing the concerns? (Select TWO)
A . There is no API operation to retrieve an S3 object in its encrypted form.
B . Encryption of S3 objects is performed within the secure boundary of the KMS service.
C . S3 uses KMS to generate a unique data key for each individual object.
D . Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.
E . The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out
Answer: C,E
Leave a Reply