Exam AWS Certified Security - Specialty topic 1 question 235 discussion

Answer is D. https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-store-kms-encrypted-objects/

B https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html there is no stringnotlikeifexists

Ans: D Subtle but Crucial distinction; For example, in an AWS S3 bucket policy, if you want to deny objects without a specified ACL, you might use StringNotLike. However, if the x-amz-acl condition is not behaving as expected (for instance, denying a simple put with no ACL), you could consider using StringNotLikeIfExists. The difference between StringNotLike and StringNotLikeIfExists lies in how they handle the absence of the specified key in the request. ---> [Important part] With StringNotLike, if the key (s3:x-amz-acl in our examples) is not present in the request, the condition returns false, and the policy statement is not applied. <------ This means that if the key is missing, the action (s3:PutObject) is not denied. With StringNotLikeIfExists, if the key is not present in the request, the condition returns true, and the policy statement is applied. <------ This means that if the key is missing, the action is denied.

C Not A. Please note the key that is required to be used is KMS key (SSE-KMS), not SSE-S3 for which the condition is "AES256" https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#require-sse-kms

B is the correct answer https://repost.aws/knowledge-center/s3-bucket-store-kms-encrypted-objects ... "Encryption headers are headers such as x-amz-server-side-encryption and x-amz-server-side-encryption-aws-kms-key-id" https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html ... "StringLikeIfExists. You do this to say "If the policy key is present in the context of the request, process the key as specified in the policy. If the key is not present, evaluate the condition element as true."

B is correct StringNotLike which means the condition will be evaluated for all requests, whether or not the "s3:x-amz-server-side-encryption-aws-kms-key-id" key is present in the request Option D uses "StringNotLikeIfExists," which means the condition will only be evaluated if the "s3:x-amz-server-side-encryption-aws-kms-key-id" key exists in the request. If the key doesn't exist in the request, the condition won't be evaluated, and the Deny effect won't be applied

C -https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html. Pay attention, when you are use "s3:x-amz-server-side-encryption-aws-kms-key-id" you should specify exact key. (as I understood)

D - https://docs.aws.amazon.com/AmazonS3/latest/userguide/specifying-kms-encryption.html

Answer should be "C" https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html

The answer is D: https://repost.aws/knowledge-center/s3-bucket-store-kms-encrypted-objects Which has this exact example.

Its B guys for sure!

Not D... tricky question... Nice try AWS :) Be careful from AWS trolls in the comments they write wrong answers to mislead you...

D I am not chosing B because, it has wildcard in it is using `StringNotEquals`. Whereas option D has like operator with a wildcard.

D is correct

B. You don’t want to allow other methods of encryption such as AES-256. Key is mandatory.

Answer D: https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-store-kms-encrypted-objects/

D. Use Amazon S3 default encryption to be sure that objects uploaded without encryption headers (such as x-amz-server-side-encryption and x-amz-server-side-encryption-aws-kms-key-id) are encrypted by AWS KMS before they are stored in your S3 bucket. Then, use the bucket policy to be sure that objects with another encryption setting (AES-256) can't be uploaded, and that objects uploaded with AWS KMS encryption contain a key ID from your AWS account.