Q36 — AWS DOP-C02 Ch.1
Question 36 of 100 | ← Chapter 1
A company uses Amazon S3 buckets to store critical documents. The company discovers that some S3 buckets are unencrypted. Currently, IAM users in the company can create new S3 buckets without encryption. The company is implementing a new requirement mandating that all S3 buckets must be encrypted.
- A. Create an AWS Lambda function invoked periodically by an Amazon EventBridge scheduled rule. Program the Lambda function to scan all current S3 buckets for encryption status and set AES-256 as the default encryption for any bucket lacking encryption configuration.
- B. Set up and activate the s3-bucket-server-side-encryption-enabled AWS Config managed rule. Configure the rule to use the AWS-enable-s3-bucket-encryption AWS Systems Manager Automation runbook as the remediation action. Manually run the re-evaluation process to ensure existing S3 buckets comply.
- C. Create an AWS Lambda function invoked by an Amazon EventBridge event rule. Define the rule with an event pattern matching new S3 bucket creation events. Write the Lambda function to parse the EventBridge event, inspect the S3 bucket configuration, and set AES-256 as the default encryption.
- D. Configure an IAM policy that denies the s3:CreateBucket action if the s3:x-amz-server-side-encryption condition key value is not AES-256. Create an IAM group for all company IAM users and attach the IAM policy to the group. ✓
Correct Answer: D. Configure an IAM policy that denies the s3:CreateBucket action if the s3:x-amz-server-side-encryption condition key value is not AES-256. Create an IAM group for all company IAM users and attach the IAM policy to the group.
Explanation
Enforcing server-side encryption at S3 bucket creation time requires blocking unencrypted bucket creation at the API level. Option D achieves this by using an IAM condition key (s3:x-amz-server-side-encryption) to deny s3:CreateBucket unless AES-256 encryption is explicitly specified—preventing unencrypted buckets from being created in the first place. Options A, B, and C rely on post-creation detection and remediation, introducing a window where unencrypted buckets exist and requiring additional infrastructure. AWS documentation confirms IAM condition keys are the recommended method for enforcing encryption parameters during resource creation.