Which combination of steps should the security engineer take to meet these requirements?

By:
In: SCS-C01
Tagged:
With: 2 Comments
A company is designing a solution to serve content from an Amazon CloudFront distribution that will have an Amazon S3 bucket as the origin.A security engineer needs to encrypt S3 data at rest with an AWS Key Management Service (KMS) customer managed key rather than with an S3 managed key.The solution must minimize operational overhead.

Which combination of steps should the security engineer take to meet these requirements?

(Choose three.)

Create the S3 bucket. Configure server-side encryption with a customer managed KMS key.

Create the S3 bucket. Configure server-side encryption with customer-provided encryption keys (SSE-C).

Create the CloudFront distribution. Use the S3 bucket as the origin. Configure the distribution to use an origin access identity (OAI).

Create the CloudFront distribution. Use the S3 bucket as the origin. Delete the origin access identity (OAI) configuration.

Configure the CloudFront distribution cache to encrypt data at rest by using the customer managed KMS key.

Create a Lambda@Edge function that runs for origin request events and reads from the S3 bucket by using the customer managed KMS key.

2026-04-06

2 Comments

  1. Willie
    Author

    It appears that the answer is:
    Create the S3 bucket. Configure server-side encryption with a customer managed KMS key.

  2. Jean
    Author

    From my point of view, the answer is:
    Create the S3 bucket. Configure server-side encryption with a customer managed KMS key.

Leave a Reply

Your email address will not be published. Required fields are marked *

20 − seven =