Which solution will meet these requirements?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A health insurance company stores personally identifiable information (PII) in an Amazon S3 bucket.The company uses server-side encryption with S3 managed encryption keys (SSE-S3) to encrypt the objects.According to a new requirement, all current and future objects in the S3 bucket must be encrypted by keys that the company’s security team manages.The S3 bucket does not have versioning enabled.

Which solution will meet these requirements?

In the S3 bucket properties, change the default encryption to SSE-S3 with a customer managed key. Use the AWS CLI to re-upload all objects in the S3 bucket. Set an S3 bucket policy to deny unencrypted PutObject requests.

In the S3 bucket properties, change the default encryption to server-side encryption with AWS KMS managed encryption keys (SSE-KMS). Set an S3 bucket policy to deny unencrypted PutObject requests. Use the AWS CLI to re-upload all objects in the S3 bucket.

In the S3 bucket properties, change the default encryption to server-side encryption with AWS KMS managed encryption keys (SSE-KMS). Set an S3 bucket policy to automatically encrypt objects on GetObject and PutObject requests.

In the S3 bucket properties, change the default encryption to AES-256 with a customer managed key. Attach a policy to deny unencrypted PutObject requests to any entities that access the S3 bucket. Use the AWS CLI to re-upload all objects in the S3 bucket.

Explanations:

Changing the default encryption to SSE-S3 with a customer managed key does not apply the new encryption to existing objects. Additionally, the company needs to manage keys, which SSE-S3 does not provide. Re-uploading objects would not enforce the use of customer-managed keys.

By changing the default encryption to SSE-KMS, all new objects will be encrypted with keys managed by AWS KMS, which the company can control. Re-uploading existing objects ensures they are encrypted with the new keys. The bucket policy will enforce encryption for future uploads.

While changing to SSE-KMS will ensure that new objects are encrypted, setting a policy to automatically encrypt on GetObject and PutObject requests is not valid. The bucket policy cannot enforce encryption automatically during retrieval and would not retroactively encrypt existing objects.

AES-256 is not a valid configuration for customer-managed keys in S3; the correct option is SSE-KMS. Additionally, changing to AES-256 does not provide the required key management and does not retroactively encrypt existing objects without re-uploading.

2025-10-05

1 Comment

  1. Grace
    Author

    I rate that the answer is:
    In the S3 bucket properties, change the default encryption to server-side encryption with AWS KMS managed encryption keys (SSE-KMS). Set an S3 bucket policy to deny unencrypted PutObject requests. Use the AWS CLI to re-upload all objects in the S3 bucket.

Leave a Reply

Your email address will not be published. Required fields are marked *

8 + three =