Which combination of steps will meet the encryption requirements?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A company is designing a new website that hosts static content.The website will give users the ability to upload and download large files.According to company requirements, all data must be encrypted in transit and at rest.A solutions architect is building the solution by using Amazon S3 and Amazon CloudFront.

Which combination of steps will meet the encryption requirements?

(Choose three.)

Turn on S3 server-side encryption for the S3 bucket that the web application uses.

Add a policy attribute of “aws:SecureTransport”: “true” for read and write operations in the S3 ACLs.

Create a bucket policy that denies any unencrypted operations in the S3 bucket that the web application uses.

Configure encryption at rest on CloudFront by using server-side encryption with AWS KMS keys (SSE-KMS).

Configure redirection of HTTP requests to HTTPS requests in CloudFront.

Use the RequireSSL option in the creation of presigned URLs for the S3 bucket that the web application uses.

Explanations:

Enabling S3 server-side encryption ensures that all data stored in the S3 bucket is encrypted at rest.

Adding “aws” is ineffective in ACLs; this needs to be set in the bucket policy for HTTPS enforcement.

A bucket policy that denies unencrypted operations ensures all data in transit uses encryption (HTTPS).

CloudFront does not support SSE-KMS encryption at rest; S3 handles encryption for content storage.

Redirecting HTTP to HTTPS in CloudFront enforces encryption in transit, aligning with company security requirements.

RequireSSL in presigned URLs can enforce HTTPS but does not ensure overall encryption requirements are met.

2025-10-20

1 Comment

  1. Nicholas
    Author

    I assess that the answer is:
    Turn on S3 server-side encryption for the S3 bucket that the web application uses.

Leave a Reply

Your email address will not be published. Required fields are marked *

fourteen − 2 =