AWS Certified Developer – Associate (DVA-C02) — Question 513

An application that is running on Amazon EC2 instances stores data in an Amazon S3 bucket. All the data must be encrypted in transit.

How can a developer ensure that all traffic to the S3 bucket is encrypted?

Answer options

• A. Install certificates on the EC2 instances.
• B. Create a private VPC endpoint.
• C. Configure the S3 bucket with server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
• D. Create an S3 bucket policy that denies traffic when the value for the aws:SecureTransport condition key is false.

Correct answer: D

Explanation

Using an S3 bucket policy with a Deny effect and the aws:SecureTransport condition set to false enforces that all incoming requests use HTTPS, securing data in transit. Server-side encryption (SSE-KMS) secures data at rest rather than in transit, while installing certificates on EC2 or using a VPC endpoint alone does not enforce encrypted connections to S3.