AWS Certified SysOps Administrator – Associate (legacy) — Question 706

A company must ensure that any objects uploaded to an S3 bucket are encrypted.
Which of the following actions will meet this requirement? (Choose two.)

Answer options

• A. Implement AWS Shield to protect against unencrypted objects stored in S3 buckets.
• B. Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket.
• C. Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored.
• D. Implement Amazon Inspector to inspect objects uploaded to the S3 bucket to make sure that they are encrypted.
• E. Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets.

Correct answer: C, E

Explanation

Amazon S3 default encryption automatically encrypts any new objects uploaded to a bucket if no encryption information is provided in the request, while S3 bucket policies can be configured to explicitly deny upload requests that do not require server-side encryption. AWS Shield is a DDoS protection service, Amazon Inspector is a vulnerability management service, and Object ACLs cannot enforce encryption requirements during upload.