Home › Forums › AWS › AWS Certified Security – Specialty › Timed Mode Set 3 Question 54 – AWS Certified Security Specialty › Reply To: Timed Mode Set 3 Question 54 – AWS Certified Security Specialty
-
Hello Girish,
Thank you for your feedback. Let me explain why the option 1 is the correct answer.
Yes, you are correct that the s3:CreateBucket API call itself does not directly support condition keys that require server-side encryption. However, SCPs can be used to enforce policies at the account level to control actions related to resource creation, including S3 buckets and DynamoDB tables.
Service Control Policies (SCPs) are used to manage permissions in AWS Organizations. An SCP can deny the creation of resources unless specific conditions are met, even if the individual API does not support those conditions. This includes enforcing encryption policies across an AWS account or organization.
By enforcing an SCP that denies the creation of S3 buckets and DynamoDB tables that do not have encryption with a customer-managed key, the company can ensure that all data stored in these services is encrypted using the specified key. This is an organizational-level policy, ensuring compliance across all accounts.
Creating a key policy that permits the necessary kms:Decrypt action for Amazon S3, DynamoDB, and Lambda ensures that these services can use the customer-managed key for encryption and decryption operations. This step is crucial for allowing the services to access the encrypted data.
To address your concern about the CreateBucket API specifically, the enforcement is at the organizational level using SCPs, not through direct conditions on the API call itself. This approach leverages the hierarchical permission structure provided by AWS Organizations.
For further reference, you can review the official AWS documentation on Service Control Policies and AWS KMS key policies.
I hope this clarifies how the correct answer aligns with AWS security best practices and the capabilities of SCPs in enforcing encryption requirements.
Regards,
Nikee @ Tutorials Dojo