Skip to Content

DVA-C02: How to Enforce Encryption in Transit for S3 Data Access from EC2

Learn how to secure your S3 data access from EC2 by enforcing encryption in transit. Find out the best practice to grant the S3 GetObject permission and deny unencrypted requests.

Question

A company has an Amazon S3 bucket that contains sensitive data. The data must be encrypted in transit and at rest. The company encrypts the data in the S3 bucket by using an AWS Key Management Service (AWS KMS) key. A developer needs to grant several other AWS accounts the permission to use the S3 GetObject operation to retrieve the data from the S3 bucket.

How can the developer enforce that all requests to retrieve the data provide encryption in transit?

A. Define a resource-based policy on the S3 bucket to deny access when a request meets the condition “aws:SecureTransport”: “false”.

B. Define a resource-based policy on the S3 bucket to allow access when a request meets the condition “aws:SecureTransport”: “false”.

C. Define a role-based policy on the other accounts’ roles to deny access when a request meets the condition of “aws:SecureTransport”: “false”.

D. Define a resource-based policy on the KMS key to deny access when a request meets the condition of “aws:SecureTransport”: “false”.

Answer

A. Define a resource-based policy on the S3 bucket to deny access when a request meets the condition “aws:SecureTransport”: “false”.

Explanation

The correct answer to the question is A. Define a resource-based policy on the S3 bucket to deny access when a request meets the condition “aws:SecureTransport”: “false”.

The reason for this answer is that:

  • Option A: Defining a resource-based policy on the S3 bucket to deny access when a request meets the condition “aws:SecureTransport”: “false” is an effective way to enforce encryption in transit for all requests to retrieve the data from the S3 bucket. A resource-based policy is a policy that you attach to an AWS resource, such as an S3 bucket or a KMS key, to specify who can access that resource and under what conditions. The “aws:SecureTransport” condition key is a global condition key that you can use to check if the request was sent using SSL (HTTPS). By setting this condition key to “false”, you can deny any requests that are not using SSL, thus ensuring encryption in transit.
  • Option B: Defining a resource-based policy on the S3 bucket to allow access when a request meets the condition “aws:SecureTransport”: “false” is not a correct way to enforce encryption in transit for all requests to retrieve the data from the S3 bucket. This option would have the opposite effect of what is intended, as it would grant access to requests that are not using SSL, thus allowing unencrypted data transfers. This option would also override any existing deny statements in the bucket policy, making it less secure.
  • Option C: Defining a role-based policy on the other accounts’ roles to deny access when a request meets the condition of “aws:SecureTransport”: “false” is not a sufficient way to enforce encryption in transit for all requests to retrieve the data from the S3 bucket. A role-based policy is a policy that you attach to an IAM role, which is an entity that you can use to delegate permissions and access resources in AWS. A role-based policy can only affect the requests that are made using that role, but it cannot prevent other entities, such as users or services, from accessing the S3 bucket without encryption in transit. Therefore, this option would not cover all possible scenarios and would leave some security gaps.
  • Option D: Defining a resource-based policy on the KMS key to deny access when a request meets the condition of “aws:SecureTransport”: “false” is not a relevant way to enforce encryption in transit for all requests to retrieve the data from the S3 bucket. This option would affect the access to the KMS key, which is used for encrypting and decrypting the data at rest, but it would not affect the access to the S3 bucket, which is where the data is stored and retrieved. Therefore, this option would not address the requirement of encrypting the data in transit.

The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.

AWS Certified Developer - Associate DVA-C02 Exam Questions and Answers

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.