Learn how to secure your S3 data access from EC2 by enforcing encryption in transit. Find out the best practice to grant the S3 GetObject permission and deny unencrypted requests.
Table of Contents
Question
A company has an Amazon S3 bucket that contains sensitive data. The data must be encrypted in transit and at rest. The company encrypts the data in the S3 bucket by using an AWS Key Management Service (AWS KMS) key. A developer needs to grant several other AWS accounts the permission to use the S3 GetObject operation to retrieve the data from the S3 bucket.
How can the developer enforce that all requests to retrieve the data provide encryption in transit?
A. Define a resource-based policy on the S3 bucket to deny access when a request meets the condition “aws:SecureTransport”: “false”.
B. Define a resource-based policy on the S3 bucket to allow access when a request meets the condition “aws:SecureTransport”: “false”.
C. Define a role-based policy on the other accounts’ roles to deny access when a request meets the condition of “aws:SecureTransport”: “false”.
D. Define a resource-based policy on the KMS key to deny access when a request meets the condition of “aws:SecureTransport”: “false”.
Answer
A. Define a resource-based policy on the S3 bucket to deny access when a request meets the condition “aws:SecureTransport”: “false”.
Explanation
The correct answer to the question is A. Define a resource-based policy on the S3 bucket to deny access when a request meets the condition “aws:SecureTransport”: “false”.
The reason for this answer is that:
- Option A: Defining a resource-based policy on the S3 bucket to deny access when a request meets the condition “aws:SecureTransport”: “false” is an effective way to enforce encryption in transit for all requests to retrieve the data from the S3 bucket. A resource-based policy is a policy that you attach to an AWS resource, such as an S3 bucket or a KMS key, to specify who can access that resource and under what conditions. The “aws:SecureTransport” condition key is a global condition key that you can use to check if the request was sent using SSL (HTTPS). By setting this condition key to “false”, you can deny any requests that are not using SSL, thus ensuring encryption in transit.
- Option B: Defining a resource-based policy on the S3 bucket to allow access when a request meets the condition “aws:SecureTransport”: “false” is not a correct way to enforce encryption in transit for all requests to retrieve the data from the S3 bucket. This option would have the opposite effect of what is intended, as it would grant access to requests that are not using SSL, thus allowing unencrypted data transfers. This option would also override any existing deny statements in the bucket policy, making it less secure.
- Option C: Defining a role-based policy on the other accounts’ roles to deny access when a request meets the condition of “aws:SecureTransport”: “false” is not a sufficient way to enforce encryption in transit for all requests to retrieve the data from the S3 bucket. A role-based policy is a policy that you attach to an IAM role, which is an entity that you can use to delegate permissions and access resources in AWS. A role-based policy can only affect the requests that are made using that role, but it cannot prevent other entities, such as users or services, from accessing the S3 bucket without encryption in transit. Therefore, this option would not cover all possible scenarios and would leave some security gaps.
- Option D: Defining a resource-based policy on the KMS key to deny access when a request meets the condition of “aws:SecureTransport”: “false” is not a relevant way to enforce encryption in transit for all requests to retrieve the data from the S3 bucket. This option would affect the access to the KMS key, which is used for encrypting and decrypting the data at rest, but it would not affect the access to the S3 bucket, which is where the data is stored and retrieved. Therefore, this option would not address the requirement of encrypting the data in transit.
The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.
