AWS Certified Security – Specialty (SCS-C03) — Question 45

A company has enabled AWS Config for its organization in AWS Organizations. The company has deployed hundreds of Amazon S3 buckets across the organization.
A security engineer needs to identify any S3 buckets that are not encrypted with AWS Key Management Service (AWS KMS). The security engineer also must prevent objects that are not encrypted with AWS KMS from being uploaded to the S3 buckets.
Which solution will meet these requirements?

Answer options

• A. Use the s3-default-encryplion-kms AWS. Config managed rule to identity unencrypted S3 buckets. Create an SCP to allow the s3:PutObject action only when the object is encrypted with AWS KMS.
• B. Use the s3-default-encryption-kms AWS. Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to deny the s3:PutObject action only when the object has server-since encryption with S3 managed keys (SSE-S3).
• C. Use the s3-bucket-ssl-requests-only AWS Config managed rule to identify unencrypted S3 buckets. Create an SCP to allow the s3:PutObject action only when the object is encrypted with AWS KMS.
• D. Use the s3-bucket-ssl-requests-only AWS Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to allow the s3:PutObject action only when the object is encrypted with AWS KMS.

Correct answer: A

Explanation

Option A is correct because it uses the appropriate AWS Config managed rule to identify unencrypted S3 buckets and enforces encryption requirements through an SCP, ensuring compliance. Option B is incorrect as it attempts to block uploads based on SSE-S3 rather than requiring AWS KMS. Options C and D incorrectly use the s3-bucket-ssl-requests-only rule, which is not relevant for identifying encryption status of S3 buckets.