DVA-C02 · Question #534
An application that is running on Amazon EC2 instances stores data in an Amazon S3 bucket. All the data must be encrypted in transit. How can a developer ensure that all traffic to the S3 bucket is en
The correct answer is D. Create an S3 bucket policy that denies traffic when the value for the aws:SecureTransport. An S3 bucket policy using the aws:SecureTransport condition key enforces HTTPS for all requests, denying any unencrypted HTTP traffic to the bucket.
Question
An application that is running on Amazon EC2 instances stores data in an Amazon S3 bucket. All the data must be encrypted in transit. How can a developer ensure that all traffic to the S3 bucket is encrypted?
Options
- AInstall certificates on the EC2 instances.
- BCreate a private VPC endpoint.
- CConfigure the S3 bucket with server-side encryption with AWS KMS managed encryption keys
- DCreate an S3 bucket policy that denies traffic when the value for the aws:SecureTransport
How the community answered
(21 responses)- A14% (3)
- B10% (2)
- C5% (1)
- D71% (15)
Why each option
An S3 bucket policy using the aws:SecureTransport condition key enforces HTTPS for all requests, denying any unencrypted HTTP traffic to the bucket.
Installing certificates on EC2 instances secures the EC2 endpoint but does not enforce or prevent HTTP traffic to the S3 bucket itself.
A VPC endpoint keeps traffic off the public internet but does not by itself enforce TLS; traffic through a gateway endpoint to S3 is unencrypted unless the bucket policy also enforces SecureTransport.
Server-side encryption with KMS (SSE-KMS) encrypts data at rest, not in transit; it has no effect on whether the connection to S3 uses HTTP or HTTPS.
Adding a bucket policy with a Deny statement that triggers when aws:SecureTransport is false ensures all requests must use TLS/HTTPS. Any client attempting an unencrypted HTTP request will receive an Access Denied error, guaranteeing encryption in transit at the bucket policy enforcement layer.
Concept tested: S3 bucket policy enforcing encryption in transit
Source: https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#transit
Community Discussion
No community discussion yet for this question.