Q: 1
A company has an Amazon S3 bucket that contains sensitive dat
a. The data must be encrypted in transit and at rest. The company encrypts the data in the S3 bucket
by using an AWS Key Management Service (AWS KMS) key. A developer needs to grant several other
AWS accounts the permission to use the S3 GetObject operation to retrieve the data from the S3
bucket.
How can the developer enforce that all requests to retrieve the data provide encryption in transit?
Options
Discussion
Saw something like this reported on practice exams and it's always A. Only the S3 bucket policy with aws:SecureTransport can force HTTPS. Not totally sure if KMS can, but pretty certain it's not D.
A Had something like this in a mock, definitely a resource-based policy on the S3 bucket using aws:SecureTransport is the way AWS recommends to force HTTPS. Not 100 percent but fits official docs.
I always thought D could work since KMS is part of the encryption story, so D.
A for sure
Has anyone checked the AWS documentation for S3 bucket policy conditions? I remember seeing aws:SecureTransport enforced in official guides and some practice tests, but just want to confirm it's always bucket-level not KMS.
Nah, not D. KMS policy can't enforce HTTPS, that's handled at the S3 bucket with aws:SecureTransport. A's the right move.
A not D. KMS policy doesn't enforce transport encryption, that's handled at the S3 bucket policy level with aws:SecureTransport.
Yeah I get why D looks tempting but it's really A here.
Its A, resource-based bucket policy is the right way, D's a common trap since KMS can't enforce S3 API usage.
Feels like A is right for S3 bucket policy, but I'm still thinking about D too.
Be respectful. No spam.
