DVA-C02 · Question #621
A company has an application that uses an Amazon S3 bucket for object storage. A developer needs to configure in-transit encryption for the S3 bucket. All the S3 objects containing personal data needs
The correct answer is C. Configure the application to encrypt the objects by using an AWS KMS customer managed key D. Write an S3 bucket policy to allow only encrypted connections over HTTPS by using the. Option C is correct because AWS KMS customer managed keys (CMKs) support on-demand rotation, unlike AWS managed keys (which only auto-rotate annually) - this directly satisfies the "rotated on demand" requirement for at-rest encryption of personal data. Option D is correct becaus
Question
A company has an application that uses an Amazon S3 bucket for object storage. A developer needs to configure in-transit encryption for the S3 bucket. All the S3 objects containing personal data needs to be encrypted at rest with AWS KMS keys, which can be rotated on demand. Which combination of steps will meet these requirements? (Choose two.)
Options
- AWrite an S3 bucket policy to allow only encrypted connections over HTTPS by using permissions
- BConfigure an S3 bucket policy to enable client-side encryption for the objects containing personal
- CConfigure the application to encrypt the objects by using an AWS KMS customer managed key
- DWrite an S3 bucket policy to allow only encrypted connections over HTTPS by using the
- EConfigure S3 Block Public Access settings for the S3 bucket to allow only encrypted connections
How the community answered
(28 responses)- A4% (1)
- B11% (3)
- C82% (23)
- E4% (1)
Explanation
Option C is correct because AWS KMS customer managed keys (CMKs) support on-demand rotation, unlike AWS managed keys (which only auto-rotate annually) - this directly satisfies the "rotated on demand" requirement for at-rest encryption of personal data. Option D is correct because enforcing in-transit encryption requires a bucket policy that explicitly denies requests where aws:SecureTransport is false, which blocks all non-HTTPS connections to the bucket.
Option A is wrong because simply "allowing" HTTPS connections doesn't block HTTP - you must explicitly deny when aws:SecureTransport is false; Option A lacks that deny logic. Option B is wrong because S3 bucket policies cannot enable client-side encryption - that is handled entirely by the application/SDK before the object reaches S3, not by bucket policy. Option E is wrong because S3 Block Public Access controls who can access the bucket (public vs. private), not how the data travels (HTTP vs. HTTPS).
Memory tip: Think of it as two separate problems - at rest (CMK = Customer Managed Key = on-demand rotation) and in transit (HTTPS = aws:SecureTransport deny policy). For the exam, whenever you see "rotated on demand," that's your signal to choose customer managed key, never AWS managed key.
Topics
Community Discussion
No community discussion yet for this question.