AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 348

A company uses an organization in AWS Organizations to manage many AWS accounts. The company has enabled all features for the organization. The company uses AWS CloudFormation StackSets to deploy configurations to the accounts. The company uses AWS Config to monitor an Amazon S3 bucket.

The company needs to ensure that all object uploads to the S3 bucket use AWS Key Management Service (AWS KMS) encryption.

Which solution will meet these requirements?

Answer options

• A. Create an AWS Config conformance pack that includes the s3-bucket-server-side-encryption-enabled rule. Deploy the conformance pack to the accounts. Configure the rule to target an Amazon Simple Notification Service (Amazon SNS) topic.
• B. Create an SCP that includes a deny statement for the s3:createBucket action and a condition statement where s3:x-amz-server-side-encryption is not aws:kms. Attach the SCP to the root of the organization.
• C. Create an AWS CloudFormation stack set to enable an AWS CloudTrail trail to capture S3 data events for the organization. In the stack set, create an Amazon EventBridge rule to match S3 PutObject events that do not use AWS KMS encryption. Configure the rule to target an Amazon Simple Notification Service (Amazon SNS) topic.
• D. Create an SCP that includes a deny statement for the s3:putObject action and a condition where s3:x-amz-server-side-encryption is not aws:kms. Attach the SCP to the root of the organization.

Correct answer: D

Explanation

Option D is correct because an SCP with a deny statement on the s3:putObject action combined with a condition checking that s3:x-amz-server-side-encryption is not aws:kms acts as a preventive control, blocking non-compliant uploads. Option B is incorrect because s3:createBucket governs bucket creation rather than object uploads. Options A and C are incorrect because they are detective controls that only alert after a non-compliant upload has already occurred.