S3 encryption

[JustCloud]

An application hosted in an Auto Scaling group of On-Demand EC2 instances is used to process data polled from an SQS queue and the generated output is stored in an S3 bucket. To improve security, you were tasked to ensure that all objects in the S3 bucket are encrypted at rest using server-side encryption with AWS KMS–Managed Keys (SSE-KMS).

Which of the following is required to properly implement this requirement?

the answer from the practice exam is :
Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption header.

but, in my opinion, the answer should be :

Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header.

Because : x-amz-server-side-encryption can be use to specify encryption either with SSE-S3 or KMS.
Hence might defeat the objective to encrypt with KMS.

Although without x-amz-server-side-encryption-aws-kms-key-id header, KMS can still applicable ( by applying default KMS key ), but enforcing this header to exists is guaranteed we encrypt the object using KMS key.

What do you guys think ?

PS: Is there any feature in the forum to search any post ? So I can search with keyword like “S3” or “encryption” before posting a new thread, and prevent post duplication?

Thanks

• This discussion was modified 1 year, 10 months ago by  JustCloud.

[Carlo-TutorialsDojo]

Thanks for your feedback.

I understand your concern.

There are various methods for using the x-amz-server-side-encryption-aws-kms-key-id in a condition within a bucket policy. One way is to place it under a Null condition and set the value of x-amz-server-side-encryption-aws-kms-key-id to true. By doing this, if no specific KMS ID is provided in the request, S3 will deny the request. Another method is to use a String match condition which will allow you to enforce the usage of a particular KMS key. In this question, the option “Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header.” is meant to refer to the second method, hence why it’s considered wrong since what the scenario is simply asking the enforcement of SSE-KMS, regardless of KMS keys used.

We acknowledge that the context in which the x-amz-server-side-encryption-aws-kms-key-id header is not clearly defined. To prevent any confusion, we will update and clarify this item accordingly.

Let me know if you need any further clarifications.

Regards,

Carlo @ Tutorials Dojo

[Jayid]

Hello @carlo-tutorialsdojo,

It looks like the questions still hasn’t been updated yet. The way the question is currently worded makes it a bit ambiguous to determine the correct answer.

[JR-TutorialsDojo]

Hello Jayid,

Thank you for bringing this to our attention.

We will make the necessary updates, which should be reflected on the portal soon.

Regards,
JR @ Tutorials Dojo

[kevinleroyer]

I don’t think that’s correct either. The choices should be updated as well. It makes it look like answering Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption header is wrong when it’s not. This is very confusing.

[JR-TutorialsDojo]

Hello kevinleroyer,

Thank you for sharing your thoughts on this item. Take note that there are questions in the actual AWS exam that are difficult, tricky, and ambiguous. You have to be prepared to look for specific keywords or key phrases in order to find the most suitable answer. This is the style that we are trying to mimic in our practice tests. Some of the questions do not explicitly show the obvious keywords or phrases that will easily point to the answer.

Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!

Regards,
JR @ Tutorials Dojo