Amazon S3 Bucket Encryption Best Practices

Enable SSE: KMS Encryption for Secure Storage

Prev Question Next Question

Question

A private bank is using an Amazon S3 bucket to save all transaction documents.

During the annual Audit, it was found that some documents uploaded by users are unencrypted which is against security guidelines.

Security Head has asked you to make necessary changes in the Amazon S3 bucket to ensure that no object should be stored in a bucket without SSE: KMS encryption enabled.

Which of the following will meet this requirement?

Answers

A. Create an S3 bucket policy that will deny an object upload request without header " s3:x-amz-server-side-encryption-context" for server-side encryption with SSE-KMS.

B. Create an S3 bucket policy that will deny an object upload request without header "s3:x-amz-server-side-encryption" for server-side encryption with SSE-KMS.

C. Create an S3 ACL that will deny an object upload request without header "s3:x-and-server-side-encryption" for server-side encryption with SSE-KMS.

D. Create an S3 ACL that will deny an object upload request without header " s3:x-amz-server-side-encryption-context" for server-side encryption with SSE-KMS.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - B.

When an object is uploaded to the Amazon S3 bucket, a header “x-amz-server-side-encryption” requesting aws:kms encryption is added to that object.

To deny any user to upload unencrypted objects to the S3 bucket, a bucket policy can be created to check the header & deny user permission from uploading if the header is not present.

Option A is incorrect as header matching must be done on "s3:x-amz-server-side-encryption" & not based upon " s3:x-amz-server-side-encryption-context" which specifies encryption context for the object.

Options C& D are incorrect as Using S3 ACL is not a feasible option.

For more information on encryption on the Amazon S3 bucket, refer to the following URL-

https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html

The correct answer to this question is A. Create an S3 bucket policy that will deny an object upload request without header "s3:x-amz-server-side-encryption-context" for server-side encryption with SSE-KMS.

Explanation: To ensure that no object is stored in an Amazon S3 bucket without SSE-KMS encryption, we need to create an S3 bucket policy. S3 bucket policies are used to manage access to S3 resources and to define rules that can deny or allow certain actions. In this case, we need to define a policy that will deny any object upload request that does not include the header "s3:x-amz-server-side-encryption-context" for server-side encryption with SSE-KMS.

Option A is the correct answer because it includes the header "s3:x-amz-server-side-encryption-context" for server-side encryption with SSE-KMS, which will ensure that all objects uploaded to the S3 bucket are encrypted. Option B is incorrect because it does not include the context header, which is required for SSE-KMS encryption. Option C is also incorrect because it refers to an S3 ACL (Access Control List) which cannot be used to enforce server-side encryption policies. Option D is also incorrect because it refers to an S3 ACL and it does not include the correct header for SSE-KMS encryption.

In summary, the correct way to ensure that no object is stored in an Amazon S3 bucket without SSE-KMS encryption enabled is to create an S3 bucket policy that will deny any object upload request without the header "s3:x-amz-server-side-encryption-context" for server-side encryption with SSE-KMS.

Prev Question Next Question