Your recent security review revealed a large spike in attempted logins to your AWS account. For sensitive data stored in encryption enabled S3, the data has not been encrypted and is susceptible to fraud if it was to be stolen. You’ve recommended AWS Key Management Service as a solution. Which of the following is true regarding the server-side encryption of KMS?

Answer options:

A.Only KMS generated keys can be used to encrypt or decrypt data.
B.Data is encrypted at rest with KMS.
C.KMS allows all users and roles to use the keys by default.
D.Data is encrypted in transit with the KMS key.

Correct Answer: B
Option B is correct. Data is encrypted at rest once uploaded to S3.
Option A is incorrect. Data can be encrypted/decrypted using AWS keys or keys provided by your company.
Option C is incorrect. Users are granted permissions explicitly, not by default by KMS.
Option D is incorrect. KMS is used for the encryption at rest instead of in transit.
References:
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html
ttps://d1.awsstatic.com/whitepapers/AWS_Securing_Data_at_Rest_with_Encryption.pdf
https://aws.amazon.com/kms/faqs/
https://docs.aws.amazon.com/general/latest/gr/rande.html#kms_region
https://www.slideshare.net/AmazonWebServices/encryption-and-key-management-in-aws