Which combination of steps will meet these requirements?
(Choose two.)
Write an S3 bucket policy to allow only encrypted connections over HTTPS by using permissions boundary.
Configure an S3 bucket policy to enable client-side encryption for the objects containing personal data by using an AWS KMS customer managed key.
Configure the application to encrypt the objects by using an AWS KMS customer managed key before uploading the objects containing personal data to Amazon S3.
Write an S3 bucket policy to allow only encrypted connections over HTTPS by using the aws:SecureTransport condition.
Configure S3 Block Public Access settings for the S3 bucket to allow only encrypted connections over HTTPS.
Explanations:
S3 bucket policies do not support permissions boundaries. Permissions boundaries are used to limit IAM user or role permissions but cannot enforce HTTPS connections for S3 buckets.
Client-side encryption requires encryption to be performed on the client-side, but the requirement is for AWS KMS server-side encryption in S3. AWS KMS can be used directly on S3 without configuring client-side encryption.
Configuring the application to use an AWS KMS customer managed key before uploading objects allows S3 to perform server-side encryption using KMS, meeting the requirement for encrypting personal data at rest with keys that can be rotated.
The awscondition in an S3 bucket policy enforces HTTPS for all incoming connections, ensuring in-transit encryption for data uploaded to the bucket.
S3 Block Public Access settings restrict public access to S3 buckets but do not enforce HTTPS-only connections. The awscondition in a bucket policy is the correct method for enforcing encrypted HTTPS connections.
It appears that the answer is:
Configure the application to encrypt the objects by using an AWS KMS customer managed key before uploading the objects containing personal data to Amazon S3.