AWS Certified Solutions Architect – Professional — Question 758

A company is using many Amazon S3 buckets to hold confidential data. Some of the S3 buckets are riot encrypted. The company wants to use AWS Key Management Service (AWS KMS) customer managed keys to encrypt the S3 buckets. The company wants a solution that will detect any S3 buckets that are not encrypted and apply AWS KMS encryption to each noncompliant S3 bucket.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Configure the s3-default-encryption-kms AWS Config managed rule with manual remediation to check for AWS KMS encryption on the S3 buckets. Modify the properties of the noncompliant S3 buckets to turn on AWS KMS encryption.
• B. Configure a custom AWS Config rule with manual remediation to check for AWS KMS encryption on the S3 buckets. Modify the properties of the noncompliant buckets to turn on AWS KMS encryption.
• C. Configure the s3-default-encryption-kms AWS Config managed rule. Create an automatic remediation script for the rule that will turn on AWS KMS encryption for any noncompliant buckets.
• D. Configure a custom AWS Config rule to check for AWS KMS encryption on the S3 buckets. Create an automatic remediation script for the rule that will turn on AWS KMS encryption for any noncompliant buckets.

Correct answer: C

Explanation

Option C is correct because using the pre-built s3-default-encryption-kms AWS Config managed rule minimizes operational overhead compared to authoring and maintaining a custom AWS Config rule. Additionally, setting up automatic remediation ensures that unencrypted buckets are instantly secured without manual intervention, which satisfies the requirement for the least operational overhead better than manual remediation options.