-
作者帖子
-
-
judy参与者
公司需要设计一个secure content mgmt solution, accessed by API calls by external customer apps. 要求customer admin must be able to submit an API call and roll back changes to existing files sent to the content mgmt solution, as needed.
What is the MOST secure deployment design that meets all solution requirements?
A. Use S3 for object storage with versioning and bucket access logging enabled, and an IAM role and access policy for each customer app. Encrypt objects using SSE-KMS. Develop the content mgmt app to use a separate KMS key for each customer.
B. Use WorkDocs for object storage. Leverage WorkDocs encryption, user access mgmt, and version control. Use CloudTrail to log all SDK actions and create reports of hourly access by using the CW dashboard. Enable a revert function in the SDK based on a static S3 webpage that shows the output of the CW dashboard.
C. Use EFS for object storage, using encryption at rest for the EFS volume and a customer managed key stored in KMS. Use IAM roles and EFS access policies to specify separate encryption keys for each customer app. Deploy the content mgmt app to store all new versions as new files in EFS and use a control API to revert a specific file to a previous version.
D. Use S3 for object storage with versioning and enable S3 bucket access logging. Use an IAM role and access policy for each customer app. Encrypt objects using client-side encryption, and distribute an encryption key to all customers when accessing the content mgmt app.
-
ciscogeek参与者
问的是most secure。 A里面提到用SSE-KMS,每个客户都有自己独立的CMK,安全性会更高。
workdoc 一般是桌面级使用的共享文件夹,更适合统一个公司内部使用的场景。一般也理解为文件存储,不是对象存储。如果问的是最简单方便的解决方案,B是可以考虑。
-
judy参与者
有道理,多谢你的及时回复和帮助!
-
-
作者帖子
哎呀,回复话题必需登录。 Login here