AWS Certified Solutions Architect – Professional (SAP-C02) — Question 182

A company is designing a new website that hosts static content. The website will give users the ability to upload and download large files. According to company requirements, all data must be encrypted in transit and at rest. A solutions architect is building the solution by using Amazon S3 and Amazon CloudFront.

Which combination of steps will meet the encryption requirements? (Choose three.)

Answer options

• A. Turn on S3 server-side encryption for the S3 bucket that the web application uses.
• B. Add a policy attribute of "aws:SecureTransport": "true" for read and write operations in the S3 ACLs.
• C. Create a bucket policy that denies any unencrypted operations in the S3 bucket that the web application uses.
• D. Configure encryption at rest on CloudFront by using server-side encryption with AWS KMS keys (SSE-KMS).
• E. Configure redirection of HTTP requests to HTTPS requests in CloudFront.
• F. Use the RequireSSL option in the creation of presigned URLs for the S3 bucket that the web application uses.

Correct answer: A, C, E

Explanation

Option A is correct because enabling server-side encryption for the S3 bucket ensures that data is encrypted at rest. Option C is also correct as denying unencrypted operations in the bucket policy enforces security requirements. Option E is necessary to ensure data is encrypted in transit by redirecting HTTP traffic to HTTPS. Options B, D, and F, while relevant, do not directly address the requirement for encryption in both transit and at rest in the same way.