Home › Forums › AWS › AWS Certified Developer Associate › S3 encryption
-
S3 encryption
-
An application hosted in an Auto Scaling group of On-Demand EC2 instances is used to process data polled from an SQS queue and the generated output is stored in an S3 bucket. To improve security, you were tasked to ensure that all objects in the S3 bucket are encrypted at rest using server-side encryption with AWS KMS–Managed Keys (SSE-KMS).
Which of the following is required to properly implement this requirement?
the answer from the practice exam is :
Add a bucket policy which denies anys3:PutObject
action unless the request includes thex-amz-server-side-encryption
header.but, in my opinion, the answer should be :
Add a bucket policy which denies any
s3:PutObject
action unless the request includes thex-amz-server-side-encryption-aws-kms-key-id
header.Because : x-amz-server-side-encryption can be use to specify encryption either with SSE-S3 or KMS.
Hence might defeat the objective to encrypt with KMS.Although without x-amz-server-side-encryption-aws-kms-key-id header, KMS can still applicable ( by applying default KMS key ), but enforcing this header to exists is guaranteed we encrypt the object using KMS key.
What do you guys think ?
PS: Is there any feature in the forum to search any post ? So I can search with keyword like “S3” or “encryption” before posting a new thread, and prevent post duplication?
Thanks
- This discussion was modified 11 months, 3 weeks ago by JustCloud.
-
Thanks for your feedback.
I understand your concern.
There are various methods for using the x-amz-server-side-encryption-aws-kms-key-id in a condition within a bucket policy. One way is to place it under a Null condition and set the value of x-amz-server-side-encryption-aws-kms-key-id to true. By doing this, if no specific KMS ID is provided in the request, S3 will deny the request. Another method is to use a String match condition which will allow you to enforce the usage of a particular KMS key. In this question, the option “Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header.” is meant to refer to the second method, hence why it’s considered wrong since what the scenario is simply asking the enforcement of SSE-KMS, regardless of KMS keys used.
We acknowledge that the context in which the x-amz-server-side-encryption-aws-kms-key-id header is not clearly defined. To prevent any confusion, we will update and clarify this item accordingly.
Let me know if you need any further clarifications.
Regards,
Carlo @ Tutorials Dojo
-
Hello @carlo-tutorialsdojo,
It looks like the questions still hasn’t been updated yet. The way the question is currently worded makes it a bit ambiguous to determine the correct answer.
-
Hello Jayid,
Thank you for bringing this to our attention.
We will make the necessary updates, which should be reflected on the portal soon.
Regards,
JR @ Tutorials Dojo
-
-
Log in to reply.