Q83 — AWS DVA-C02 Ch.2
Question 83 of 100 | ← Chapter 2
A company has an Amazon S3 bucket containing sensitive data. Data must be encrypted both in transit and at rest. The company uses an AWS Key Management Service (AWS KMS) key to encrypt data in the S3 bucket. Developers need to grant several other AWS accounts permission to retrieve data from the S3 bucket using the s3:GetObject operation. How can developers enforce that all requests retrieving data must use encryption in transit?
- A. Define a resource-based policy on the S3 bucket that denies access when the request condition "aws:SecureTransport": "false" is met. ✓
- B. Define a resource-based policy on the S3 bucket that allows access when the request condition "aws:SecureTransport": "false" is met.
- C. Define a role-based policy on the roles of the other accounts that denies access when the request condition "aws:SecureTransport": "false" is met.
- D. Define a resource-based policy on the KMS key that denies access when the request condition "aws:SecureTransport": "false" is met.
Correct Answer: A. Define a resource-based policy on the S3 bucket that denies access when the request condition "aws:SecureTransport": "false" is met.
Explanation
To ensure data security in transit, all data retrieval requests must be enforced over encrypted channels (e.g., HTTPS). In Amazon S3, this is achieved by defining a resource-based policy that denies access when the "aws:SecureTransport" condition evaluates to "false" — indicating the request is not using secure transport. Therefore, developers must configure such a deny policy on the S3 bucket itself. Option A correctly describes this implementation.