Which combination of steps will meet the encryption requirements?
(Choose three.)
Turn on S3 server-side encryption for the S3 bucket that the web application uses.
Add a policy attribute of “aws:SecureTransport”: “true” for read and write operations in the S3 ACLs.
Create a bucket policy that denies any unencrypted operations in the S3 bucket that the web application uses.
Configure encryption at rest on CloudFront by using server-side encryption with AWS KMS keys (SSE-KMS).
Configure redirection of HTTP requests to HTTPS requests in CloudFront.
Use the RequireSSL option in the creation of presigned URLs for the S3 bucket that the web application uses.
Explanations:
Enabling S3 server-side encryption ensures that all data stored in the S3 bucket is encrypted at rest.
Adding “aws” is ineffective in ACLs; this needs to be set in the bucket policy for HTTPS enforcement.
A bucket policy that denies unencrypted operations ensures all data in transit uses encryption (HTTPS).
CloudFront does not support SSE-KMS encryption at rest; S3 handles encryption for content storage.
Redirecting HTTP to HTTPS in CloudFront enforces encryption in transit, aligning with company security requirements.
RequireSSL in presigned URLs can enforce HTTPS but does not ensure overall encryption requirements are met.
I assess that the answer is:
Turn on S3 server-side encryption for the S3 bucket that the web application uses.
I reckon the answer is:
Turn on S3 server-side encryption for the S3 bucket that the web application uses.