AWS Certified Security – Specialty — Question 430

A company is designing a solution to serve content from an Amazon CloudFront distribution that will have an Amazon S3 bucket as the origin. A security engineer needs to encrypt S3 data at rest with an AWS Key Management Service (KMS) customer managed key rather than with an S3 managed key. The solution must minimize operational overhead.

Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

Answer options

• A. Create the S3 bucket. Configure server-side encryption with a customer managed KMS key.
• B. Create the S3 bucket. Configure server-side encryption with customer-provided encryption keys (SSE-C).
• C. Create the CloudFront distribution. Use the S3 bucket as the origin. Configure the distribution to use an origin access identity (OAI).
• D. Create the CloudFront distribution. Use the S3 bucket as the origin. Delete the origin access identity (OAI) configuration.
• E. Configure the CloudFront distribution cache to encrypt data at rest by using the customer managed KMS key.
• F. Create a Lambda@Edge function that runs for origin request events and reads from the S3 bucket by using the customer managed KMS key.

Correct answer: A, D, F

Explanation

Configuring the S3 bucket with a customer managed KMS key fulfills the requirement for custom key encryption at rest. Because traditional Origin Access Identities (OAI) do not support S3 buckets encrypted with custom KMS keys, the OAI configuration must be removed, and a Lambda@Edge function must be used on origin requests to programmatically decrypt and retrieve the S3 objects using the KMS key. Other options either use incorrect encryption methods like SSE-C or rely on unsupported OAI configurations for KMS-encrypted origins.