You are working for a Pharma firm. You are using S3 buckets to save a large amount of sensitive project documents for new medical research. You need to ensure that all data at rest in these buckets are encrypted. All the keys need to be managed by the in-house Security team. Which of the following can be used as a best practice to encrypt all data securely?

Answer options:

A.Generate a data key using Customer managed CMK. Encrypt data with Plaintext data key & delete Plaintext data key. Store Encrypted data key & data in S3 buckets. For decryption, use CMK to decrypt the Encrypted data key into the Plaintext data key & then decrypt data using the Plaintext data key.
B.Generate a data key using AWS-managed CMK. Encrypt data with Plaintext data key & delete Plaintext data key. Store Encrypted data key & data in S3 buckets. For decryption, use CMK to decrypt the Encrypted data key into the Plaintext data key & then decrypt data using the Plaintext data key.
C.Generate a data key using Customer managed CMK. Encrypt data with Plaintext data key & do not delete Plaintext data key. Store Encrypted data key & data in S3 buckets. For decryption, use the Plaintext data key to decrypt data.
D.Generate a data key using AWS-managed CMK. Encrypt data with Plaintext data key & do not delete Plaintext data key. Store Encrypted data key & data in S3 buckets. For decryption, use the Plaintext data key to decrypt data.

Correct Answer - A
Since the In-house security team will do key Management, Customer Managed CMK needs to be used. Customer-managed CMK will generate plain text Data Key & encrypted Data Keys. All project-related sensitive documents will be encrypted using these plain text Data Keys. After encryption, plain text Data keys need to be deleted to avoid any inappropriate use, and encrypted Data Keys and encrypted data are stored in S3 buckets.
Data keys = Plaintext Data Key and Encrypted Data Key
While decryption, encrypted Data Key is decrypted using Customer CMK into plain text Key, which is further used to decrypt documents. This Envelope Encryption ensures that data is protected by a Data key, which is further protected by another key.
Option B is incorrect. Since all keys need to manage by the in-house customer Security team, AWS-managed CMKs cannot be used.
Option C is incorrect as it`s not the best practice to save data key files in plain text format. All plain text data keys should be deleted and only encrypted data keys need to be saved.
Option D is incorrect since all keys need to be managed by the in-house customer Security team. AWS-managed CMKs cannot be used. Also, all plain text data keys should be deleted and only encrypted data keys need to be saved.
 For more information on AWS KMS, refer to the following URLs-
 https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys
 https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf