A health insurance company stores personally identifiable information (PII) in an Amazon…

Question

A health insurance company stores personally identifiable information (PII) in an Amazon S3 bucket. The company uses server-side encryption with S3 managed encryption keys (SSE-S3) to encrypt the objects. According to a new requirement, all current and future objects in the S3 bucket must be encrypted by keys that the company’s security team manages. The S3 bucket does not have versioning enabled. Which solution will meet these requirements?

Accepted Answer

Correct answer: B. B. In the S3 bucket properties, change the default encryption to server-side encryption with AWS KMS managed encryption keys (SSE-KMS). Set an S3 bucket policy to deny unencrypted PutObject requests. Use the AWS CLI to re-upload all objects in the S3 bucket. — Option B is correct because it ensures that all objects are encrypted with keys managed by the company's security team by using SSE-KMS, and it includes a policy to deny unencrypted uploads. Option A is incorrect as it retains the use of SSE-S3 instead of transitioning to customer managed keys. Option C does not fulfill the requirement for managed keys since it focuses on automatic encryption during requests, and Option D incorrectly specifies AES-256, which does not meet the security team's requirements for key management.

AWS Certified Solutions Architect – Professional (SAP-C02) — Question 49

Answer options

Correct answer: B

Explanation