exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 787 discussion

A medical company is building a data lake on Amazon S3. The data must be encrypted in transit and at rest. The data must remain protected even if S3 bucket is inadvertently made public.
Which combination of steps will meet these requirements? (Choose three.)

  • A. Ensure that each S3 bucket has a bucket policy that includes a Deny statement if the aws:SecureTransport condition is not present.
  • B. Create a CMK in AWS Key Management Service (AWS KMS). Turn on server-side encryption (SSE) on the S3 buckets, select SSE-KMS for the encryption type, and use the CMK as the key.
  • C. Ensure that each S3 bucket has a bucket policy that includes a Deny statement for PutObject actions if the request does not include an ג€s3:x-amz-server-side- encryptionג€:ג€aws:kmsג€ condition.
  • D. Turn on server-side encryption (SSE) on the S3 buckets and select SSE-S3 for the encryption type.
  • E. Ensure that each S3 bucket has a bucket policy that includes a Deny statement for PutObject actions if the request does not include an ג€s3:x-amz-server-side- encryptionג€:ג€AES256ג€ condition.
  • F. Turn on AWS Config. Use the s3-bucket-public-read-prohibited, s3-bucket-public-write-prohibited, and s3-bucket-ssl-requests-only AWS Config managed rules to monitor the S3 buckets.
Show Suggested Answer Hide Answer
Suggested Answer: ABC 🗳️
To determine HTTP or HTTPS requests in a bucket policy, use a condition that checks for the key "aws:SecureTransport". When this key is true, then request is sent through HTTPS. To comply with the s3-bucket-ssl-requests-only rule, create a bucket policy that explicitly denies access when the request meets the condition "aws:SecureTransport": "false". This policy explicitly denies access to HTTP requests.
When you create an object, you can specify the use of server-side encryption with AWS Key Management Service (AWS KMS) keys to encrypt your data. This is true when you are either uploading a new object or copying an existing object. This encryption is known as SSE-KMS.
Enforce object encryption, create an S3 bucket policy that denies any S3 Put request that does not include the x-amz-server-side-encryption header.
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/ https://docs.aws.amazon.com/AmazonS3/latest/userguide/specifying-kms-encryption.html https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
SkyZeroZx
1 year, 5 months ago
Selected Answer: ABC
is ABC not ACD why ? the option C "force" choose the B by "aws:kms" condition
upvoted 1 times
...
asfsdfsdf
2 years, 4 months ago
ABC - must use CMK to avoid public access of an unauthorized users (no access to the key) Must enforce header of aws:KMS in order to make sure all object are encrypted with CMK (SSE-KMS) Finally need to make sure aws:SecureTransport is set to true which means SSL
upvoted 4 times
...
RVD
2 years, 8 months ago
In order to enforce object encryption, create an S3 bucket policy that denies any S3 Put request that does not include the x-amz-server-side-encryption header. There are two possible values for the x-amz-server-side-encryption header: AES256, which tells S3 to use S3-managed keys, and aws:kms, which tells S3 to use AWS KMS–managed keys.
upvoted 1 times
...
kenchou73
2 years, 8 months ago
Selected Answer: ABC
Due to the requirement of the Data Lake, ABC is better than ADE. That needs SSE-KMS but not SSE-S3. https://aws.amazon.com/blogs/big-data/build-secure-encrypted-data-lakes-with-aws-lake-formation/
upvoted 1 times
...
Serial_X25
2 years, 8 months ago
A,B,C is correct. In my opinion, If you are using SSE-S3 since you have access to the bucket, S3 service will automatically decrypt the file for you, but with SSE-KMS we have: "To upload an object encrypted with an AWS KMS key to Amazon S3, you need kms:GenerateDataKey permissions on the key. To download an object encrypted with an AWS KMS key, you need kms:Decrypt permissions.", from https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html Then, just making the S3 bucket public is not enough to have access to files, you also need access to KMS.
upvoted 2 times
...
panton
2 years, 10 months ago
I'll go ABC A - to use encryption at rest SSL should be enabled B - Create Key C - Require Key on PutObject
upvoted 1 times
...
wahlbergusa
2 years, 11 months ago
A,B,C is correct. Reason SSE-S3 is not appropriate is that if the user has access privileges to S3 then they will automatically have access to the S3 key as well.
upvoted 1 times
Bigbearcn
2 years, 10 months ago
I don't agree. SSE-S3 and SSE-KMS are same secure. The difference is who manage the key. ABC is a combination solution, but D isn't.
upvoted 3 times
wahlbergusa
2 years, 10 months ago
Not sure I understand. There is segregation of duties on SSE-KMS, you can assign a key policy to the KMS Key. Hence the reason it is more secure in terms of access controls to the service.
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago