A legal firm is storing legal documents in Amazon S3 buckets & has configured lifecycle policies to move all old files to Amazon S3 Glacier. The Security Team is concerned about encrypting these files in both the Amazon S3 bucket & S3 Glacier. Additionally, they are looking for an audit trail for CMKs used for accessing the objects in the S3 bucket & users using these CMKs.
What encryption technique can a SysOps administrator implement?

Answer options:

A.Implement encryption using SSE-S3 for objects stored in the Amazon S3 bucket, while for S3 Glacier all files are encrypted with keys managed by AWS.
B.Implement encryption using SSE-S3 for objects stored in Amazon S3 bucket while for S3 Glacier use SSE-C encryption.
C.Implement encryption using SSE-KMS for objects stored in the Amazon S3 bucket, while for S3 Glacier all files are encrypted with keys managed by AWS.
D.Implement encryption using SSE-KMS for objects stored in Amazon S3 bucket while for S3 Glacier use SSE-C encryption.

Correct Answer: C
For objects stored in the Amazon S3 bucket, there are four ways for encryption at rest,
SSE-S3
SSE-KMS
SSE-C
Client-side encryption.
With SSE-KMS, there is an additional benefit of getting audit trails for CMKS which are used for encryption & also get details of users accessing these CMKs.
For all data stored in Amazon S3 Glacier, encryption is by default enabled using keys managed by AWS.
Option A is incorrect as with encryption using SSE-S3, an audit trail for CMKs used for encryption is not possible.
Options B & D are incorrect as with Amazon S3 Glaciers, all files are encrypted using AWS managed keys.
For more information on encryption at rest for Amazon S3 & S3 Glacier, refer to the following URL,
https://d0.awsstatic.com/whitepapers/AWS%20Storage%20Services%20Whitepaper-v9.pdf