Skip to Content

DVA-C02: How to Encrypt S3 Data in Transit and at Rest with AWS KMS

By: Author Alex Lim

Posted on Last updated:

Home > DVA-C02: How to Encrypt S3 Data in Transit and at Rest with AWS KMS

Learn how to use AWS Key Management Service (AWS KMS) to encrypt data in an Amazon S3 bucket in transit and at rest. Find out how to grant other AWS accounts the permission to access the data securely and how to enforce encryption in transit with a resource-based policy.

Question

A company has an Amazon S3 bucket that contains sensitive data. The data must be encrypted in transit and at rest. The company encrypts the data in the S3 bucket by using an AWS Key Management Service (AWS KMS) key. A developer needs to grant several other AWS accounts the permission to use the S3 GetObject operation to retrieve the data from the S3 bucket.

How can the developer enforce that all requests to retrieve the data provide encryption in transit?

A. Define a resource-based policy on the S3 bucket to deny access when a request meets the condition “aws:SecureTransport”: “false”.

B. Define a resource-based policy on the S3 bucket to allow access when a request meets the condition “aws:SecureTransport”: “false”.

C. Define a role-based policy on the other accounts’ roles to deny access when a request meets the condition of “aws:SecureTransport”: “false”.

D. Define a resource-based policy on the KMS key to deny access when a request meets the condition of “aws:SecureTransport”: “false”.

Answer

A. Define a resource-based policy on the S3 bucket to deny access when a request meets the condition “aws:SecureTransport”: “false”.

Explanation

The correct answer is A. Define a resource-based policy on the S3 bucket to deny access when a request meets the condition “aws:SecureTransport”: “false”.

Here is a detailed explanation:

  • Option A is the best solution because it enforces encryption in transit by using a resource-based policy on the S3 bucket. A resource-based policy is a policy that is attached to an AWS resource, such as an S3 bucket or a KMS key, and specifies who can access the resource and under what conditions. By using the condition key “aws:SecureTransport” with the value “false”, the policy denies access to any request that does not use HTTPS protocol, which provides encryption in transit. This way, the developer can ensure that all requests to retrieve the data from the S3 bucket are encrypted in transit.
  • Option B is not a valid solution because it allows access when a request meets the condition “aws:SecureTransport”: “false”. This means that the policy grants access to any request that does not use HTTPS protocol, which does not provide encryption in transit. This way, the developer cannot ensure that all requests to retrieve the data from the S3 bucket are encrypted in transit.
  • Option C is not a valid solution because it uses a role-based policy instead of a resource-based policy. A role-based policy is a policy that is attached to an IAM role, which is an identity that can be assumed by users or services to perform actions on AWS resources. By using a role-based policy, the developer can only control the access of the users or services that assume the role, but not the access of other AWS accounts or principals that may have permission to access the S3 bucket. Moreover, by using the condition key “aws:SecureTransport” with the value “false”, the policy denies access to any request that does not use HTTPS protocol, which may prevent the users or services that assume the role from accessing the S3 bucket even if they use HTTPS protocol.
  • Option D is not a valid solution because it uses a resource-based policy on the KMS key instead of the S3 bucket. A resource-based policy on the KMS key can control who can use the key to encrypt or decrypt data, but not who can access the data in the S3 bucket. By using the condition key “aws:SecureTransport” with the value “false”, the policy denies access to any request that does not use HTTPS protocol, which may prevent some users or services from using the key to encrypt or decrypt data, but not from accessing the data in the S3 bucket.

Therefore, option A is the best solution that enforces encryption in transit by using a resource-based policy on the S3 bucket.

The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.

AWS Certified Developer - Associate DVA-C02 Exam Questions and Answers

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.