A company has asked a Solutions Architect to design a secure content management solution that can be accessed by API calls by external customer applications. The company requires that a customer administrator must be able to submit an API call and roll back changes to existing files sent to the content management solution, as needed.
What is the MOST secure deployment design that meets all solution requirements?
A. Use Amazon S3 for object storage with versioning and bucket access logging enabled, and an IAM role and access policy for each customer application. Encrypt objects using SSE-KMS. Develop the content management application to use a separate AWS KMS key for each customer.
B. Use Amazon WorkDocs for object storage. Leverage WorkDocs encryption, user access management, and version control. Use AWS CloudTrail to log all SDK actions and create reports of hourly access by using the Amazon CloudWatch dashboard. Enable a revert function in the SDK based on a static Amazon S3 webpage that shows the output of the CloudWatch dashboard.
C. Use Amazon EFS for object storage, using encryption at rest for the Amazon EFS volume and a customer managed key stored in AWS KMS. Use IAM roles and Amazon EFS access policies to specify separate encryption keys for each customer application. Deploy the content management application to store all new versions as new files in Amazon EFS and use a control API to revert a specific file to a previous version.
D. Use Amazon S3 for object storage with versioning and enable S3 bucket access logging. Use an IAM role and access policy for each customer application. Encrypt objects using client-side encryption, and distribute an encryption key to all customers when accessing the content management application.
I think you can specify which CMK that you want to use to encrypt the objects when you upload to the S3 using KeyId header in the request. If you use a CMK to encrypt your data, you have to use the same CMK to decrypt cipher text. You can’t use separate CMK for each customer to access the same objects in S3. I think D is better option because with Client side encryption, the object is encrypted before the object is uploaded to the S3 bucket, and the encryption key is controlled by the customer. Since only you have the encryption key, you can ensure that nobody else except you can decrypt the data.
A, but it’s a tough call on what they consider ‘more’ secure. With ‘D’, the encryption key is out of the system and relies on each customer to keep the key secure. KMS could be restricted to use by the IAM role of the application.
I think answer is A. For each customer application, there is a role to access data on S3. I think same role could be an owner for KMS key which would be applied to S3. I think the last line is additional line.
The question is not clear, will each customer access his own content only, or everyone can access everything?
If a Customer is going to access his own content (likely scenario) then A would work best – SSE + separate KMS for each.
As regards D, client side encryption and distribution of Keys, clients managing the Keys and Encryption – is problematic. Too many moving parts to be managed by each customer. Client managing keys is especially problematic as many may not have a good system/process.