AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 379

A company is using Amazon S3 buckets to store important documents. The company discovers that some S3 buckets are not encrypted. Currently, the company’s IAM users can create new S3 buckets without encryption. The company is implementing a new requirement that all S3 buckets must be encrypted.

A DevOps engineer must implement a solution to ensure that server-side encryption is enabled on all existing S3 buckets and all new S3 buckets. The encryption must be enabled on new S3 buckets as soon as the S3 buckets are created. The default encryption type must be 256-bit Advanced Encryption Standard (AES-256).

Which solution will meet these requirements?

Answer options

• A. Create an AWS Lambda function that is invoked periodically by an Amazon EventBridge scheduled rule. Program the Lambda function to scan all current S3 buckets for encryption status and to set AES-256 as the default encryption for any S3 bucket that does not have an encryption configuration.
• B. Set up and activate the s3-bucket-server-side-encryption-enabled AWS Config managed rule. Configure the rule to use the AWS-EnableS3BucketEncryption AWS Systems Manager Automation runbook as the remediation action. Manually run the re-evaluation process to ensure that existing S3 buckets are compliant.
• C. Create an AWS Lambda function that is invoked by an Amazon EventBridge event rule. Define the rule with an event pattern that matches the creation of new S3 buckets. Program the Lambda function to parse the EventBridge event, check the configuration of the S3 buckets from the event, and set AES-256 as the default encryption.
• D. Configure an IAM policy that denies the s3:CreateBucket action if the s3:x-amz-server-side-encryption condition key has a value that is not AES-256. Create an IAM group for all the company’s IAM users. Associate the IAM policy with the IAM group.

Correct answer: B

Explanation

Option B is correct because the AWS Config managed rule 's3-bucket-server-side-encryption-enabled' can evaluate both existing and newly created S3 buckets for compliance, and using the 'AWS-EnableS3BucketEncryption' Systems Manager Automation runbook as a remediation action automatically applies AES-256 encryption to non-compliant buckets. Options A and C are incorrect because they rely on custom Lambda functions and scheduled/event-based rules that are more complex to maintain than native AWS Config rules and do not natively handle both existing and new buckets easily without custom code. Option D is incorrect because it only blocks future bucket creation actions and does not remediate existing unencrypted S3 buckets.