Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 76 discussion

B caters to both existing and new buckets. C is triggered on when new bucket is created, existing buckets are not handled by the event.

B to me

I think neither "B" or "C" is complete solution. They both need to be done to deal with both existing and new buckets. A carefull reading of the question doesn't preclude the need to do both. However, the specific and emphasized criteria of enabling encryption "as soon as the S3 buckets are created" can only be done by "C" (event driven action) I think this may be a trick question. I'm very confident they are defining an event driven action as part of the solution, and only "C" provides that. B: (NO) "Manually run the re-evaluation process to ensure that existing S3 buckets are compliant." Comment: Doesn't achieve "encryption must be enabled on new S3 buckets as soon as the S3 buckets are created."

`s3-bucket-server-side-encryption-enabled` checks if your Amazon S3 bucket either has the Amazon S3 default encryption enabled or that the Amazon S3 bucket policy explicitly denies put-object requests without server side encryption that uses AES-256 or AWS Key Management Service.

A is correct: <implement a solution to ensure that server-side encryption is enabled on all existing S3 buckets and all new S3 buckets>: We can use lambda to configure all S3. Use Eventbridge to schedule-run lambda. B: This option uses AWS config rule to activate AWS-EnableS3BucketEncryption AWS Systems Manager Automation runbook, which is incorrect. Remember that AWS config have no action and cannot trigger anything. It only collect data and report. Additionally, this option does not mention actions to new S3 bucket C: <define the rule with an event pattern that matches the creation of new S3 buckets> means that this only affect newly-created bucket, not existing ones. D: No mention of enforcing encryption on S3 Note: Should not use chatgpt for this exam, its answers are mostly wrong

Answer is B https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-server-side-encryption-enabled.html

I would have chose B over D because aws config can do this with lambda.

A has automation. I didn't like B: because of this statement: Manually run the re-evaluation process to ensure that existing S3 buckets are compliant.

Amazon S3 Encrypts New Objects By Default https://aws.amazon.com/blogs/aws/amazon-s3-encrypts-new-objects-by-default/#:~:text=At%20AWS%2C%20security%20is%20the,specify%20a%20different%20encryption%20option.

B to me. AWS Config can monitor resource compliance against desired configurations. The managed rule s3-bucket-server-side-encryption-enabled checks whether Amazon S3 buckets have server-side encryption enabled. The AWS Systems Manager Automation runbook, AWS-EnableS3BucketEncryption, can be used as a remediation action to enable default encryption. This solution would also work for new buckets as soon as they're created, making it an effective solution.

B is right. Doable solution for new buckets as well as existing buckets.

Option C meets the requirement of modifying the policy immediately after creating the bucket.