Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Developer Associate S3 encryption

  • S3 encryption

  • JustCloud

    Member
    January 23, 2024 at 1:00 am

    An application hosted in an Auto Scaling group of On-Demand EC2 instances is used to process data polled from an SQS queue and the generated output is stored in an S3 bucket. To improve security, you were tasked to ensure that all objects in the S3 bucket are encrypted at rest using server-side encryption with AWS KMS–Managed Keys (SSE-KMS).

    Which of the following is required to properly implement this requirement?

    the answer from the practice exam is :
    Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption header.

    but, in my opinion, the answer should be :

    Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header.

    Because : x-amz-server-side-encryption can be use to specify encryption either with SSE-S3 or KMS.
    Hence might defeat the objective to encrypt with KMS.

    Although without x-amz-server-side-encryption-aws-kms-key-id header, KMS can still applicable ( by applying default KMS key ), but enforcing this header to exists is guaranteed we encrypt the object using KMS key.

    What do you guys think ?

    PS: Is there any feature in the forum to search any post ? So I can search with keyword like “S3” or “encryption” before posting a new thread, and prevent post duplication?

    Thanks

    • This discussion was modified 1 month ago by  JustCloud.
  • Carlo-TutorialsDojo

    Administrator
    January 23, 2024 at 6:09 pm

    Thanks for your feedback.

    I understand your concern.

    There are various methods for using the x-amz-server-side-encryption-aws-kms-key-id in a condition within a bucket policy. One way is to place it under a Null condition and set the value of x-amz-server-side-encryption-aws-kms-key-id to true. By doing this, if no specific KMS ID is provided in the request, S3 will deny the request. Another method is to use a String match condition which will allow you to enforce the usage of a particular KMS key. In this question, the option “Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header.” is meant to refer to the second method, hence why it’s considered wrong since what the scenario is simply asking the enforcement of SSE-KMS, regardless of KMS keys used.

    We acknowledge that the context in which the x-amz-server-side-encryption-aws-kms-key-id header is not clearly defined. To prevent any confusion, we will update and clarify this item accordingly.

    Let me know if you need any further clarifications.

    Regards,

    Carlo @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now