Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 100 discussion

yeah is not good question, it should of been allow if thestring not equal : encrypted"

It is defo B, you are denying access if the condition is set not to encrypt in trasnit

The question is a bit tricky for me. The requirement is: "A security engineer must implement an S3 bucket policy that denies any S3 operations if data is not encrypted." Using HTTPS as a connection does not encrypt the data, it encrypts the connection. When using HTTPS to access an Amazon S3 bucket, the HTTPS encryption is de-encapsulated at the S3 service endpoint. This means the data transmitted between your application and the S3 endpoint is encrypted in transit using HTTPS, but once it reaches the S3 endpoint, the encryption is removed before the data is stored in S3.

Updated selection: Def. B

Enforce encryption of data in transit https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#security-best-practices-prevent

This question is requesting to make objects accessible only through HTTPS. Option B is correct because it specifies the bucket policy condition with correct syntax. Please refer to "Defense-in-depth requirement 2: Data must be accessible only by a limited set of public IP addresses" section in this link - https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/

Not sure if I'm fully correct here in selecting this ans. I'd go with C here cuz I feel like it is asked about no S3 bucket operation IF the data is not encrypted. It doesn't say about if the data is not securely in transit. That's why in my opinion, the AES256 encryption method should be mentioned under the conditional logic area in the bucket policy. But I'd appreciate if anyone else would like to discuss and clarify my understandings on this if I'm incorrect here... Thnx so much!

B. You want to deny where secure transport is false