AWS Certified Security – Specialty — Question 282

A company has a PHP-based web application that uses Amazon S3 as an object store for user files. The S3 bucket that stores the files is configured for server- side encryption with S3 managed encryption keys (SSE-S3).
According to new security requirements, the company must control all encryption keys. Additionally, all objects in the S3 bucket must be encrypted by a key that the company controls.
Which combination of steps must a security engineer take to meet these requirements? (Choose three.)

Answer options

• A. Create a new-customer managed CMK in AWS Key Management Service (AWS KMS).
• B. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided encryption keys (SSE-C).
• C. Configure the PHP SDK to use the SSE-S3 key to encrypt the data before the data is uploaded to Amazon S3.
• D. Create an AWS managed CMK for Amazon S3 in AWS Key Management Service (AWS KMS).
• E. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
• F. Change all the S3 objects in the bucket to use the new encryption key.

Correct answer: A, E, F

Explanation

To satisfy the requirement of company-controlled keys, a customer managed CMK must be created in AWS KMS (Option A), as AWS managed CMKs do not give the customer full control over key rotation and policies. The S3 bucket's default encryption must then be updated to SSE-KMS using this customer managed CMK (Option E). Finally, because changing the bucket's default encryption configuration only affects newly uploaded objects, all existing objects in the bucket must be copied or updated to apply the new encryption key (Option F).