Q36 — AWS DOP-C02 Ch.1

Question 36 of 100 | ← Chapter 1

A company uses Amazon S3 buckets to store critical documents. The company discovers that some S3 buckets are unencrypted. Currently, IAM users in the company can create new S3 buckets without encryption. The company is implementing a new requirement mandating that all S3 buckets must be encrypted.

Correct Answer: D. Configure an IAM policy that denies the s3:CreateBucket action if the s3:x-amz-server-side-encryption condition key value is not AES-256. Create an IAM group for all company IAM users and attach the IAM policy to the group.

Explanation

Enforcing server-side encryption at S3 bucket creation time requires blocking unencrypted bucket creation at the API level. Option D achieves this by using an IAM condition key (s3:x-amz-server-side-encryption) to deny s3:CreateBucket unless AES-256 encryption is explicitly specified—preventing unencrypted buckets from being created in the first place. Options A, B, and C rely on post-creation detection and remediation, introducing a window where unencrypted buckets exist and requiring additional infrastructure. AWS documentation confirms IAM condition keys are the recommended method for enforcing encryption parameters during resource creation.