AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 201

A company uses AWS Control Tower and AWS CloudFormation to manage its AWS accounts and to create AWS resources. The company requires all Amazon S3 buckets to be encrypted with AWS Key Management Service (AWS KMS) when the S3 buckets are created in a CloudFormation stack.

Which solution will meet this requirement?

Answer options

• A. Use AWS Organizations. Attach an SCP that denies the s3:PutObject permission if the request does not include an x-amz-server-side-encryption header that requests server-side encryption with AWS KMS keys (SSE-KMS).
• B. Use AWS Control Tower with a multi-account environment. Configure and enable proactive AWS Control Tower controls on all OUs with CloudFormation hooks.
• C. Use AWS Control Tower with a multi-account environment. Configure and enable detective AWS Control Tower controls on all OUs with CloudFormation hooks.
• D. Use AWS Organizations. Create an AWS Config organizational rule to check whether a KMS encryption key is enabled for all S3 buckets. Deploy the rule. Create and apply an SCP to prevent users from stopping and deleting AWS Config across all AWS accounts,

Correct answer: B

Explanation

Option B is correct as it involves configuring proactive controls within AWS Control Tower to ensure that all S3 buckets created via CloudFormation are encrypted with AWS KMS. The other options do not directly enforce encryption during the bucket creation process; option A relies on permissions, option C focuses on detective controls which do not enforce compliance, and option D checks for existing encryption instead of ensuring it at creation time.