AWS Certified Security – Specialty — Question 327

A company wants to prevent public exposure of data that is stored in Amazon S3.

Which combination of steps should a security engineer take to meet this requirement? (Choose two.)

Answer options

• A. Turn on S3 Block Public Access.
• B. Enforce S3 bucket encryption by using server-side encryption with AWS KMS managed keys (SSE-KMS).
• C. Enforce S3 bucket encryption by using server-side encryption with Amazon S3 managed encryption keys (SSE-S3).
• D. Use S3 Storage Lens.
• E. Use Amazon Macie.

Correct answer: A, B

Explanation

Enabling S3 Block Public Access provides a centralized control to prevent public access to S3 buckets and objects. Enforcing encryption with AWS KMS managed keys (SSE-KMS) adds an extra layer of protection because even if an object is exposed, unauthorized users cannot decrypt it without permissions to the KMS key, unlike SSE-S3 which decrypts automatically for anyone with read access to the object.