Incorrect answer for AWS CDA Security section exam question

[kaws8902]

Hello,

I came across this question in the Security section for AWS Certified Developer Associate and I believe the incorrect answer is selected as the right one.

Category: CDA – Security

An application hosted in an Auto Scaling group of On-Demand EC2 instances is used to process data polled from an SQS queue and the generated output is stored in an S3 bucket. To improve security, you were tasked to ensure that all objects in the S3 bucket are encrypted at rest using server-side encryption with AWS KMS–Managed Keys (SSE-KMS).

Which of the following is required to properly implement this requirement?

This is provided as the correct answer.

Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption header.

However, someone can send a request with x-amz-server-side-encryption: “AES256” instead of “aws:kms” which would mean that SSE-S3 is used which does not satisfy the requirement.

Therefore, this answer is incorrect.

Here is the documentation where it shows AES256 is valid:

[Carlo-TutorialsDojo]

Hello kaws8902,

I understand that x-amz-server-side-encryption header can have different values based on the type of KMS key being used, such as “aws:kms” or “AES256”. However, the given answer cannot be dismissed as incorrect simply because there are other possible values for the header. Rather, the appropriateness of the answer depends on the specific conditions and options presented in the scenario. The question is testing you on what specific header to use. If the question asks you to choose between the right x-amz-server-side-encryption values, then that’s a different story.

Let me know what you think.

Regards,

Carlo @ Tutorials Dojo