Which solution will meet these requirements?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A company uses an organization in AWS Organizations to manage several AWS accounts that the company’s developers use.The company requires all data to be encrypted in transit.Multiple Amazon S3 buckets that were created in developer accounts allow unencrypted connections.A DevOps engineer must enforce encryption of data in transit for all existing S3 buckets that are created in accounts in the organization.

Which solution will meet these requirements?

Use AWS CloudFormation StackSets to deploy an AWS Network Firewall firewall to each account. Route all outbound requests from the AWS environment through the firewall. Deploy a policy to block access to all outbound requests on port 80.

Use AWS CloudFormation StackSets to deploy an AWS Network Firewall firewall to each account. Route all inbound requests to the AWS environment through the firewall. Deploy a policy to block access to all inbound requests on port 80.

Turn on AWS Config for the organization. Deploy a conformance pack that uses the s3-bucket-ssl-requests-only managed rule and an AWS Systems Manager Automation runbook. Use a runbook that adds a bucket policy statement to deny access to an S3 bucket when the value of the aws:SecureTransport condition key is false.

Turn on AWS Config for the organization. Deploy a conformance pack that uses the s3-bucket-ssl-requests-only managed rule and an AWS Systems Manager Automation runbook. Use a runbook that adds a bucket policy statement to deny access to an S3 bucket when the value of the s3:x-amz-server-side-encryption-aws-kms-key-id condition key is null.

Explanations:

This option focuses on using AWS Network Firewall to block outbound traffic on port 80, which does not directly enforce encryption for S3 buckets. It would restrict HTTP traffic but does not ensure that all S3 buckets require HTTPS connections for data in transit.

Similar to option A, this option uses AWS Network Firewall to block inbound traffic on port 80. While it prevents unencrypted traffic from reaching the AWS environment, it does not address the enforcement of encryption for S3 bucket connections specifically.

This option uses AWS Config to monitor compliance with thes3-bucket-ssl-requests-onlyrule, which ensures that S3 buckets can only accept secure connections (HTTPS). The runbook further enhances compliance by adding a bucket policy that denies access when theaws:SecureTransportcondition is false, effectively enforcing encryption in transit for existing buckets.

This option focuses on checking for thes3:x-amz-server-side-encryption-aws-kms-key-idcondition key, which pertains to server-side encryption rather than enforcing encryption in transit. It does not address the requirement for HTTPS connections specifically, making it ineffective for the given task.

2025-10-12

1 Comment

  1. Alexis
    Author

    I organize that the answer is:
    Turn on AWS Config for the organization. Deploy a conformance pack that uses the s3-bucket-ssl-requests-only managed rule and an AWS Systems Manager Automation runbook. Use a runbook that adds a bucket policy statement to deny access to an S3 bucket when the value of the aws:SecureTransport condition key is false.

Leave a Reply

Your email address will not be published. Required fields are marked *

two × 3 =