You work as a machine learning specialist at a credit card transaction processing company. You have built a data streaming pipeline using Kinesis Data Firehose and S3. Due to the personally identifiable information contained in your data stream, your data must be encrypted in flight and at rest. How should you configure your solution to achieve encryption at rest?

Answer options:

A.Encrypt the data at the data consumer application level.
B.Encrypt the data by configuring Firehose to use S3-managed encryption keys (SSE-S3).
C.Encrypt the data by configuring Firehose to use S3 server-side encryption with AWS Key Management Service (SSE-KMS).
D.Encrypt the data by configuring Firehose to use S3 server-side encryption with 256-bit AES-GCM with HKDF.

Answer: C
Option A is incorrect. Encrypting the data at the Kinesis consumer application level does not allow for encryption at the S3 bucket. Once the data has reached the consumer application, it has already been stored in S3 without being encrypted.
Option B is incorrect. Kinesis Data Firehose does not use SSE-S3. It uses SSE-KMS. (See the Amazon Kinesis Data Firehose developer documentation titled Configure Settings)
Option C is correct. The Kinesis Data Firehose documentation states that “Kinesis Data Firehose supports Amazon S3 server-side encryption with AWS Key Management Service (AWS KMS) for encrypting delivered data in Amazon S3. You can choose not to encrypt the data or encrypt with a key from the list of AWS KMS keys that you own. For more information, see Protecting Data Using Server-Side Encryption with AWS KMS–Managed Keys (SSE-KMS).”
Option D is incorrect. Kinesis Data Firehose does not use 256-bit AES-GCM with HKDF. It uses SSE-KMS. (See the Amazon Kinesis Data Firehose developer documentation titled Configure Settings)
Reference:
Please see the Amazon Kinesis Data Firehose developer guide documentation titled Creating an Amazon Kinesis Data Firehose Delivery Stream and the Amazon Kinesis Data Streams developer guide documentation titled What is Server-Side Encryption for Kinesis Data Streams.