Q54 — AWS DOP-C02 Ch.2

Question 54 of 100 | ← Chapter 2

A company uses Amazon S3 buckets to store critical documents. The company discovers that some S3 buckets are unencrypted. Currently, IAM users in the company can create new S3 buckets without encryption. The company is implementing a new requirement mandating that all S3 buckets must be encrypted. A DevOps engineer must implement a solution to ensure server-side encryption is enabled on both existing and newly created S3 buckets. Encryption must be enabled immediately after an S3 bucket is created. The default encryption type must be 256-bit Advanced Encryption Standard (AES-256). Which solution meets these requirements?

Correct Answer: B. Set up and activate the s3-bucket-server-side-encryption-enabled AWS Config managed rule. Configure the rule to use the AWS-EnableS3BucketEncryption AWS Systems Manager Automation runbook as the remediation action. Manually run the re-evaluation process to ensure compliance of existing S3 buckets.

Explanation

The s3-bucket-server-side-encryption-enabled AWS Config managed rule checks whether S3 buckets are configured with server-side encryption and issues notifications when buckets are unencrypted. This rule can also be configured to automatically remediate noncompliant S3 buckets by invoking the AWS-EnableS3BucketEncryption AWS Systems Manager Automation runbook. This solution ensures all existing S3 buckets become encrypted and all new S3 buckets created by IAM users are encrypted. It also guarantees the default encryption type is AES-256, which is the required encryption type.