Currently my web app stores user-uploaded ID scans in S3. I am concerned about an eventual data leak.
The S3 bucket is encrypted with server-side encryption (AES-256) but I figure the next obvious risk is an attacker gaining access to the AWS account itself. I have secured the root account with 2FA but there are several user accounts which have full access to S3 still (such as a Travis CI account).
The solution I am thinking of is periodically moving the ID scans to a different source with client-side encryption (where only I know the private key). That way if a leak happens, there will be only a small amount of data leaked.
Is this a common practice or are there better solutions in this situation?