DVA-C02 Question #534: Real Exam Question with Answer & Explanation

Question

An application that is running on Amazon EC2 instances stores data in an Amazon S3 bucket. All the data must be encrypted in transit. How can a developer ensure that all traffic to the S3 bucket is encrypted?

Options

• AInstall certificates on the EC2 instances.
• BCreate a private VPC endpoint.
• CConfigure the S3 bucket with server-side encryption with AWS KMS managed encryption keys
• DCreate an S3 bucket policy that denies traffic when the value for the aws:SecureTransport

Explanation

An S3 bucket policy using the aws:SecureTransport condition key enforces HTTPS for all requests, denying any unencrypted HTTP traffic to the bucket.

Common mistakes.

• A. Installing certificates on EC2 instances secures the EC2 endpoint but does not enforce or prevent HTTP traffic to the S3 bucket itself.
• B. A VPC endpoint keeps traffic off the public internet but does not by itself enforce TLS; traffic through a gateway endpoint to S3 is unencrypted unless the bucket policy also enforces SecureTransport.
• C. Server-side encryption with KMS (SSE-KMS) encrypts data at rest, not in transit; it has no effect on whether the connection to S3 uses HTTP or HTTPS.

Concept tested. S3 bucket policy enforcing encryption in transit

Reference. https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#transit

No community discussion yet for this question.