AWS Certified Solutions Architect – Professional — Question 620

A medical company is building a data lake on Amazon S3. The data must be encrypted in transit and at rest. The data must remain protected even if S3 bucket is inadvertently made public.
Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. Ensure that each S3 bucket has a bucket policy that includes a Deny statement if the aws:SecureTransport condition is not present.
• B. Create a CMK in AWS Key Management Service (AWS KMS). Turn on server-side encryption (SSE) on the S3 buckets, select SSE-KMS for the encryption type, and use the CMK as the key.
• C. Ensure that each S3 bucket has a bucket policy that includes a Deny statement for PutObject actions if the request does not include an ג€s3:x-amz-server-side- encryptionג€:ג€aws:kmsג€ condition.
• D. Turn on server-side encryption (SSE) on the S3 buckets and select SSE-S3 for the encryption type.
• E. Ensure that each S3 bucket has a bucket policy that includes a Deny statement for PutObject actions if the request does not include an ג€s3:x-amz-server-side- encryptionג€:ג€AES256ג€ condition.
• F. Turn on AWS Config. Use the s3-bucket-public-read-prohibited, s3-bucket-public-write-prohibited, and s3-bucket-ssl-requests-only AWS Config managed rules to monitor the S3 buckets.

Correct answer: A, B, C

Explanation

To enforce encryption in transit, S3 bucket policies must deny requests that do not use HTTPS (aws:SecureTransport is false), making A correct. To protect data if a bucket is inadvertently made public, SSE-KMS with a customer managed key (B) must be used alongside a policy to enforce it (C), because unauthorized public users will not have the required KMS decrypt permissions even if they have S3 read access. SSE-S3 (D, E) is insufficient because S3 automatically decrypts the objects for anyone who has read access to the S3 bucket.