Learn how to use AWS Key Management Service (AWS KMS) to encrypt data in an Amazon S3 bucket in transit and at rest. Find out how to grant other AWS accounts the permission to access the data securely and how to enforce encryption in transit with a resource-based policy.
Table of Contents
Question
A company has an Amazon S3 bucket that contains sensitive data. The data must be encrypted in transit and at rest. The company encrypts the data in the S3 bucket by using an AWS Key Management Service (AWS KMS) key. A developer needs to grant several other AWS accounts the permission to use the S3 GetObject operation to retrieve the data from the S3 bucket.
How can the developer enforce that all requests to retrieve the data provide encryption in transit?
A. Define a resource-based policy on the S3 bucket to deny access when a request meets the condition “aws:SecureTransport”: “false”.
B. Define a resource-based policy on the S3 bucket to allow access when a request meets the condition “aws:SecureTransport”: “false”.
C. Define a role-based policy on the other accounts’ roles to deny access when a request meets the condition of “aws:SecureTransport”: “false”.
D. Define a resource-based policy on the KMS key to deny access when a request meets the condition of “aws:SecureTransport”: “false”.
Answer
A. Define a resource-based policy on the S3 bucket to deny access when a request meets the condition “aws:SecureTransport”: “false”.
Explanation
The correct answer is A. Define a resource-based policy on the S3 bucket to deny access when a request meets the condition “aws:SecureTransport”: “false”.
Here is a detailed explanation:
- Option A is the best solution because it enforces encryption in transit by using a resource-based policy on the S3 bucket. A resource-based policy is a policy that is attached to an AWS resource, such as an S3 bucket or a KMS key, and specifies who can access the resource and under what conditions. By using the condition key “aws:SecureTransport” with the value “false”, the policy denies access to any request that does not use HTTPS protocol, which provides encryption in transit. This way, the developer can ensure that all requests to retrieve the data from the S3 bucket are encrypted in transit.
- Option B is not a valid solution because it allows access when a request meets the condition “aws:SecureTransport”: “false”. This means that the policy grants access to any request that does not use HTTPS protocol, which does not provide encryption in transit. This way, the developer cannot ensure that all requests to retrieve the data from the S3 bucket are encrypted in transit.
- Option C is not a valid solution because it uses a role-based policy instead of a resource-based policy. A role-based policy is a policy that is attached to an IAM role, which is an identity that can be assumed by users or services to perform actions on AWS resources. By using a role-based policy, the developer can only control the access of the users or services that assume the role, but not the access of other AWS accounts or principals that may have permission to access the S3 bucket. Moreover, by using the condition key “aws:SecureTransport” with the value “false”, the policy denies access to any request that does not use HTTPS protocol, which may prevent the users or services that assume the role from accessing the S3 bucket even if they use HTTPS protocol.
- Option D is not a valid solution because it uses a resource-based policy on the KMS key instead of the S3 bucket. A resource-based policy on the KMS key can control who can use the key to encrypt or decrypt data, but not who can access the data in the S3 bucket. By using the condition key “aws:SecureTransport” with the value “false”, the policy denies access to any request that does not use HTTPS protocol, which may prevent some users or services from using the key to encrypt or decrypt data, but not from accessing the data in the S3 bucket.
Therefore, option A is the best solution that enforces encryption in transit by using a resource-based policy on the S3 bucket.
The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.