Which solution is the most secure and cost-effective option to protect the sensitive data?

September 14, 2021 by Admin

The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data.

Pattern:
“randomID_datestamp_PII.csv”
Example:
“1234567_12302017_000-00-0000 csv”

The bucket where these objects are being stored is using server-side encryption (SSE).

Which solution is the most secure and cost-effective option to protect the sensitive data?

  • Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.
  • Add an S3 bucket policy that denies the action s3:GetObject
  • Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.
  • Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.

Leave a Reply