Which solution will meet these requirements?
Create an AWS Lambda function that is invoked periodically by an Amazon EventBridge scheduled rule. Program the Lambda function to scan all current S3 buckets for encryption status and to set AES-256 as the default encryption for any S3 bucket that does not have an encryption configuration.
Set up and activate the s3-bucket-server-side-encryption-enabled AWS Config managed rule. Configure the rule to use the AWS-EnableS3BucketEncryption AWS Systems Manager Automation runbook as the remediation action. Manually run the re-evaluation process to ensure that existing S3 buckets are compliant.
Create an AWS Lambda function that is invoked by an Amazon EventBridge event rule. Define the rule with an event pattern that matches the creation of new S3 buckets. Program the Lambda function to parse the EventBridge event, check the configuration of the S3 buckets from the event, and set AES-256 as the default encryption.
Configure an IAM policy that denies the s3:CreateBucket action if the s3:x-amz-server-side-encryption condition key has a value that is not AES-256. Create an IAM group for all the company’s IAM users. Associate the IAM policy with the IAM group.
Explanations:
While this option would check and enable encryption on existing S3 buckets, it does not address the requirement to enforce encryption on new S3 buckets immediately upon creation. A scheduled Lambda function is not an efficient way to ensure real-time compliance for new bucket creations.
This option leverages AWS Config to ensure that all existing and future S3 buckets are compliant with the encryption requirement. The managed rule automatically checks and applies the encryption settings as needed, ensuring compliance without the need for manual intervention for future buckets.
Although this option would enable encryption for new S3 buckets, it does not ensure that existing S3 buckets are encrypted. It only addresses the requirement for new bucket creation without a mechanism to enforce encryption retroactively on existing buckets.
While this IAM policy would prevent users from creating buckets without specifying AES-256 encryption, it does not enforce encryption on existing buckets. Additionally, this approach may lead to user frustration if they attempt to create a bucket without encryption, but it won’t resolve the issue of existing non-compliant buckets.
I map out that the answer is:
Set up and activate the s3-bucket-server-side-encryption-enabled AWS Config managed rule. Configure the rule to use the AWS-EnableS3BucketEncryption AWS Systems Manager Automation runbook as the remediation action. Manually run the re-evaluation process to ensure that existing S3 buckets are compliant.