September 14, 2021 by Admin
The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data.
Pattern:
“randomID_datestamp_PII.csv”
Example:
“1234567_12302017_000-00-0000 csv”
The bucket where these objects are being stored is using server-side encryption (SSE).
Which solution is the most secure and cost-effective option to protect the sensitive data?
- Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.
- Add an S3 bucket policy that denies the action s3:GetObject
- Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.
- Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.