AWS Certified Security – Specialty — Question 97

A company is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The Security team has the following requirements for the architecture:
* Data must be encrypted in transit.
* Data must be encrypted at rest.
* The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential.
Which combination of steps would meet the requirements? (Choose two.)

Answer options

• A. Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket.
• B. Enable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket.
• C. Add a bucket policy that includes a deny if a PutObject request does not include aws:SecureTransport.
• D. Add a bucket policy with aws:SourceIp to Allow uploads and downloads from the corporate intranet only.
• E. Add a bucket policy that includes a deny if a PutObject request does not include s3:x-amz-server-side-encryption: "aws:kms".
• F. Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.

Correct answer: B, C

Explanation

Choosing option B ensures that data is encrypted at rest using AWS KMS-managed keys, providing a higher level of control over encryption keys. Option C addresses the requirement for data encryption in transit by enforcing the use of secure transport protocols. The other options either do not address both encryption requirements or are not relevant to the specified security needs.