How can the developer enforce that all requests to retrieve the data provide encryption in transit?
Define a resource-based policy on the S3 bucket to deny access when a request meets the condition “aws:SecureTransport”: “false”.
Define a resource-based policy on the S3 bucket to allow access when a request meets the condition “aws:SecureTransport”: “false”.
Define a role-based policy on the other accounts’ roles to deny access when a request meets the condition of “aws:SecureTransport”: “false”.
Define a resource-based policy on the KMS key to deny access when a request meets the condition of “aws:SecureTransport”: “false”.
Explanations:
This option correctly implements a condition in the S3 bucket policy that denies access to objects unless the request is made using a secure transport protocol (HTTPS). The condition keyaws:SecureTransportbeing set tofalseindicates that the request is not using HTTPS, so denying access in this case ensures that all data retrieval requests use encryption in transit.
This option allows access when theaws:SecureTransportcondition isfalse, which means it permits requests made without HTTPS. This directly contradicts the requirement to enforce encryption in transit, making it an inappropriate choice.
While a role-based policy can restrict access, it does not directly enforce encryption in transit for S3 operations. Theaws:SecureTransportcondition must be evaluated at the S3 bucket policy level to ensure that requests made to retrieve data are secure. Therefore, this option does not effectively meet the requirement.
Although denying access based on theaws:SecureTransportcondition on the KMS key could add a layer of security, it does not enforce encryption in transit for S3 object retrieval specifically. S3 policies must be used to ensure that requests to access the bucket are made securely. Thus, this option does not fully address the requirement for S3 access.