AWS Certified Security – Specialty — Question 100

A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket examplebucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only.
What should the Security Engineer do to achieve this?

Answer options

• A. Use envelope encryption with the AWS-managed CMK aws/s3.
• B. Create a customer-managed CMK with a key policy granting ג€kms:Decryptג€ based on the ג€${aws:username}ג€ variable.
• C. Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.
• D. Change the applicable IAM policy to grant S3 access to ג€Resourceג€: ג€arn:aws:s3:::examplebucket/${aws:username}/*ג€

Correct answer: D

Explanation

The correct answer is D because it tailors the IAM policy to allow access only to the specific folder associated with each user, thus achieving the required access restriction. Options A and B focus on encryption methods that do not directly control user access to specific folders, while option C would be overly complex and inefficient by creating multiple keys for each user.