AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A security engineer must protect sensitive data that is uploaded to an Amazon S3 bucket. The engineer's requirements are:
Encrypt data in transit by allowing only SSL/TLS connections to the bucket.
Encrypt data at rest with the customer-managed AWS KMS key arn:aws:kms:us-east-1:123456789012:key/abcd1234.
Which of the following statements best describes AWS best practice for meeting both requirements?
A bucket policy can enforce SSL/TLS, but it can require only the AWS-managed key (aws/s3); customer-managed keys cannot be specified in policy conditions.
Enforcing SSL/TLS and a specific customer-managed KMS key in the bucket policy aligns with AWS security best practices for protecting data in transit and at rest.
Using a bucket policy to require SSL/TLS is unnecessary because Amazon S3 automatically forces HTTPS; only default encryption needs to be enabled.
Enabling SSE-S3 encryption at rest makes enforcing SSL/TLS in transit redundant, so the bucket policy only needs to specify the aes256 header.
AWS best practice is to enforce both controls with a bucket policy that (1) denies all requests when the global condition key aws:SecureTransport is false, ensuring that only HTTPS traffic is allowed, and (2) denies PUT operations that do not specify server-side encryption with the designated customer-managed KMS key via the condition keys s3:x-amz-server-side-encryption and s3:x-amz-server-side-encryption-aws-kms-key-id. This configuration encrypts data both in transit and at rest while giving the organization full control and auditability over the CMK.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the function of SSL in data transfer?
Open an interactive chat with Bash
What are KMS and CMK in AWS?
Open an interactive chat with Bash
What are the best practices for managing data security in AWS?