An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised.
How can the CISO be assured that AWS KMS and Amazon S3 are addressing the concerns? (Choose two.)

A. There is no API operation to retrieve an S3 object in its encrypted form.

B. Encryption of S3 objects is performed within the secure boundary of the KMS service.

C. S3 uses KMS to generate a unique data key for each individual object.

D. Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.

E. The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out.






 

Suggested Answer: CD

Community Answer: AC




This question is in SCS-C01 AWS Certified Security – Specialty Exam
For getting AWS Certified Security – Specialty Certificate


Disclaimers:
The website is not related to, affiliated with, endorsed or authorized by Amazon.
Trademarks, certification & product names are used for reference only and belong to Amazon.
The website does not contain actual questions and answers from Amazon's Certification Exam.