Q54 — AWS DOP-C02 Ch.2
Question 54 of 100 | ← Chapter 2
A company uses Amazon S3 buckets to store critical documents. The company discovers that some S3 buckets are unencrypted. Currently, IAM users in the company can create new S3 buckets without encryption. The company is implementing a new requirement mandating that all S3 buckets must be encrypted. A DevOps engineer must implement a solution to ensure server-side encryption is enabled on both existing and newly created S3 buckets. Encryption must be enabled immediately after an S3 bucket is created. The default encryption type must be 256-bit Advanced Encryption Standard (AES-256). Which solution meets these requirements?
- A. Create an AWS Lambda function invoked regularly by an Amazon EventBridge scheduled rule. Program the Lambda function to scan the encryption status of all current S3 buckets and set AES-256 as the default encryption for any S3 bucket lacking encryption configuration.
- B. Set up and activate the s3-bucket-server-side-encryption-enabled AWS Config managed rule. Configure the rule to use the AWS-EnableS3BucketEncryption AWS Systems Manager Automation runbook as the remediation action. Manually run the re-evaluation process to ensure compliance of existing S3 buckets. ✓
- C. Create an AWS Lambda function invoked by an Amazon EventBridge event rule. Define the rule using an event pattern matching new S3 bucket creation. Program the Lambda function to parse the EventBridge event, inspect the S3 bucket configuration from the event, and set AES-256 as the default encryption.
- D. Configure an IAM policy that denies the s3:CreateBucket action if the s3:x-amz-server-side-encryption condition key value is not AES-256. Create an IAM group for all IAM users in the company and attach the IAM policy to the IAM group.
Correct Answer: B. Set up and activate the s3-bucket-server-side-encryption-enabled AWS Config managed rule. Configure the rule to use the AWS-EnableS3BucketEncryption AWS Systems Manager Automation runbook as the remediation action. Manually run the re-evaluation process to ensure compliance of existing S3 buckets.
Explanation
The s3-bucket-server-side-encryption-enabled AWS Config managed rule checks whether S3 buckets are configured with server-side encryption and issues notifications when buckets are unencrypted. This rule can also be configured to automatically remediate noncompliant S3 buckets by invoking the AWS-EnableS3BucketEncryption AWS Systems Manager Automation runbook. This solution ensures all existing S3 buckets become encrypted and all new S3 buckets created by IAM users are encrypted. It also guarantees the default encryption type is AES-256, which is the required encryption type.