Exam AWS Certified Security - Specialty topic 1 question 131 discussion

This question is in the sample question bank on AWS site. There the answer is marked as BC https://d1.awsstatic.com/training-and-certification/docs-security-spec/AWS-Certified-Security-Speciality_Sample-Questions.pdf Reason from the sample question bank B, C –Bucket encryption using KMS will protect both in case disks are stolen as well as if the bucket is public. This is because the AWS KMS key would need to have privileges granted to it for users outside of AWS. HTTPS will protect data in transit. I think it should also mention for GetObject to have the aws:SecureTransport condition specified for download. https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/

CE, B does not force KMS encrypted objects. E does.

BC are correct providing privacy, encryption at rest, and encryption in transit respectively. However, E is not out-right wrong. It is another technique to enforce encryption at rest with custom key.

BC are correct. Example of a guy that encrypted objects and after making public the bucket, everybody can access to the objects: https://stackoverflow.com/questions/59507962/aws-s3-object-encryption-public-accessible How to enforce HTTS in transit: https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html

Answer B keeps the data at rest encrypted and confidential. Answer C keeps the data in transit encrypted and confidential.

BC is correct according to JackLee1 and Mimikabs explains why SSE-S3 is invalid as well

I think bc

To meet the requirements for the data lake on Amazon S3, the security team should take the following steps: A. Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket. This will ensure that the data is encrypted at rest, using a strong encryption algorithm. C. Add a bucket policy that includes a deny if a PutObject request does not include aws:SecureTransport. This will ensure that the data is encrypted in transit, as aws:SecureTransport is a condition key that checks whether the request is being made using a secure transport (HTTPS). By including a deny statement in the bucket policy, any PutObject requests that are not made using a secure transport will be denied. Option E, adding a bucket policy that includes a deny if a PutObject request does not include s3:x-amz-server-side-encryption: "aws:kms", would not meet the requirement to encrypt the data in transit. This condition only checks for the use of server-side encryption with AWS KMS-managed keys (SSE-KMS) for the PutObject request, and does not ensure that the data is encrypted in transit.

EC. The datalake upload will must likely be done via CLI so add a bucket policy that includes a deny if a PutObject request does not include s3:x-amz-server-side-encryption: "aws:kms".

Why A,C cant be answer?

BC for sure.

B C sorry for the last post in Q24, BC it is. The right answer can be also seen in https://d1.awsstatic.com/training-and-certification/docs-security-spec/AWS-Certified-Security-Speciality_Sample-Questions.pdf

B - Protect if the bucket is made public C - Encryption at transit. E - Encryption at rest Duplicated questions with New Q24

B, C for sure

B + C for sure

AB for me. see no issues with s3 encryption.

bc for sure