Question #957
A company uses an Amazon S3 bucket to store sensitive data. They need to ensure that all data is encrypted in transit and at rest using AWS KMS customer managed keys, which can be rotated as needed. Which two steps should be taken? (Choose two.)
Use a permissions boundary in the bucket policy to require HTTPS.
Configure the S3 bucket's default encryption to use an AWS KMS customer managed key.
Modify the application to specify server-side encryption with AWS KMS when uploading objects.
Enforce HTTPS by adding a bucket policy with the aws:SecureTransport condition.
Enable S3 Block Public Access to restrict access to HTTPS connections.
Explanation
The correct answers are B and D.
Why B (Configure default encryption with KMS): Enabling default encryption on the S3 bucket ensures all objects are encrypted at rest using the specified AWS KMS customer managed key. This applies to objects uploaded without explicit encryption settings, ensuring compliance.
Why D (Enforce HTTPS via bucket policy): Adding a bucket policy with the aws:SecureTransport condition ensures all data transfers use HTTPS, encrypting data in transit.
Why others are incorrect:
- A: Permissions boundaries apply to IAM entities, not bucket policies.
- C: While specifying KMS during uploads is good practice, default encryption (B) ensures it automatically, making C redundant unless overriding is a concern (not addressed here).
- E: S3 Block Public Access restricts public access but doesn't enforce HTTPS.
Key Points:
- Use S3 default encryption with KMS for at-rest encryption.
- Enforce HTTPS via bucket policy (aws:SecureTransport) for in-transit encryption.
Answer
The correct answer is: BD