AWS Certified Developer – Associate (DVA-C02) — Question 396

A company has an application that uses an Amazon S3 bucket for object storage. A developer needs to configure in-transit encryption for the S3 bucket. All the S3 objects containing personal data needs to be encrypted at rest with AWS Key Management Service (AWS KMS) keys, which can be rotated on demand.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Write an S3 bucket policy to allow only encrypted connections over HTTPS by using permissions boundary.
• B. Configure an S3 bucket policy to enable client-side encryption for the objects containing personal data by using an AWS KMS customer managed key.
• C. Configure the application to encrypt the objects by using an AWS KMS customer managed key before uploading the objects containing personal data to Amazon S3.
• D. Write an S3 bucket policy to allow only encrypted connections over HTTPS by using the aws:SecureTransport condition.
• E. Configure S3 Block Public Access settings for the S3 bucket to allow only encrypted connections over HTTPS.

Correct answer: C, D

Explanation

To enforce in-transit encryption, an S3 bucket policy must deny requests that do not use HTTPS by utilizing the aws:SecureTransport condition (Option D). For at-rest encryption of personal data using KMS keys that can be rotated on demand, a customer managed key must be used, and encrypting the data client-side via the application before upload (Option C) satisfies this requirement. Other options like permissions boundaries, bucket policies for client-side encryption, or S3 Block Public Access cannot enforce these specific encryption requirements.