nerdexam
Amazon

DVA-C02 · Question #534

An application that is running on Amazon EC2 instances stores data in an Amazon S3 bucket. All the data must be encrypted in transit. How can a developer ensure that all traffic to the S3 bucket is en

The correct answer is D. Create an S3 bucket policy that denies traffic when the value for the aws:SecureTransport. An S3 bucket policy using the aws:SecureTransport condition key enforces HTTPS for all requests, denying any unencrypted HTTP traffic to the bucket.

Submitted by brentm· Mar 5, 2026Security

Question

An application that is running on Amazon EC2 instances stores data in an Amazon S3 bucket. All the data must be encrypted in transit. How can a developer ensure that all traffic to the S3 bucket is encrypted?

Options

  • AInstall certificates on the EC2 instances.
  • BCreate a private VPC endpoint.
  • CConfigure the S3 bucket with server-side encryption with AWS KMS managed encryption keys
  • DCreate an S3 bucket policy that denies traffic when the value for the aws:SecureTransport

How the community answered

(21 responses)
  • A
    14% (3)
  • B
    10% (2)
  • C
    5% (1)
  • D
    71% (15)

Why each option

An S3 bucket policy using the aws:SecureTransport condition key enforces HTTPS for all requests, denying any unencrypted HTTP traffic to the bucket.

AInstall certificates on the EC2 instances.

Installing certificates on EC2 instances secures the EC2 endpoint but does not enforce or prevent HTTP traffic to the S3 bucket itself.

BCreate a private VPC endpoint.

A VPC endpoint keeps traffic off the public internet but does not by itself enforce TLS; traffic through a gateway endpoint to S3 is unencrypted unless the bucket policy also enforces SecureTransport.

CConfigure the S3 bucket with server-side encryption with AWS KMS managed encryption keys

Server-side encryption with KMS (SSE-KMS) encrypts data at rest, not in transit; it has no effect on whether the connection to S3 uses HTTP or HTTPS.

DCreate an S3 bucket policy that denies traffic when the value for the aws:SecureTransportCorrect

Adding a bucket policy with a Deny statement that triggers when aws:SecureTransport is false ensures all requests must use TLS/HTTPS. Any client attempting an unencrypted HTTP request will receive an Access Denied error, guaranteeing encryption in transit at the bucket policy enforcement layer.

Concept tested: S3 bucket policy enforcing encryption in transit

Source: https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#transit

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice