Step-by-Step Breakdown:
Requirement Summary:
In-transit encryption (when data is moving between client and S3)
Encryption at rest using AWS KMS keys (which are rotatable on-demand)
Option A: Write an S3 bucket policy to allow only encrypted connections over HTTPS by using permissions boundary
Incorrect: Permissions boundaries are for IAM policy control, not S3 bucket policies.
Also, encryption enforcement in-transit is not achieved through permissions boundaries.
Option B: Configure an S3 bucket policy to enable client-side encryption
Incorrect: AWS does not enforce client-side encryption via S3 bucket policies.
Client-side encryption must be handled entirely by the application.
Also, KMS is for server-side encryption, not client-side.
Option C: Configure the application to encrypt the objects by using an AWS KMS customer managed key before uploading the objects
Correct: This fulfills the requirement of encrypting objects at rest using a KMS CMK, which can be rotated.
You can specify the KMS key using the SSE-KMS option when putting an object.
Option D: Write an S3 bucket policy to allow only encrypted connections over HTTPS by using the aws:SecureTransport condition
Correct: This enforces in-transit encryption, which ensures that only HTTPS connections are allowed.
This is the AWS-recommended way to enforce encryption in transit via bucket policy.
Option E: Configure S3 Block Public Access settings for the S3 bucket to allow only encrypted connections over HTTPS
Incorrect: Block Public Access is used to prevent public exposure of the bucket.
It has nothing to do with encryption enforcement, whether in transit or at rest.
Using SSE-KMS: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html
aws:SecureTransport condition in bucket policies: https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html
Server-side encryption with AWS KMS: https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html
