AWS Certified DevOps Engineer - Professional
Get started today
Ultimate access to all questions.
A company stores important documents in Amazon S3 buckets and has identified that some buckets lack encryption. The company mandates that all S3 buckets, both existing and newly created, must be encrypted with server-side encryption using the 256-bit Advanced Encryption Standard (AES-256). What solution should a DevOps engineer implement to enforce this encryption requirement across all S3 buckets?
A company stores important documents in Amazon S3 buckets and has identified that some buckets lack encryption. The company mandates that all S3 buckets, both existing and newly created, must be encrypted with server-side encryption using the 256-bit Advanced Encryption Standard (AES-256). What solution should a DevOps engineer implement to enforce this encryption requirement across all S3 buckets?
Explanation:
The correct answer is B. This solution meets the requirement of ensuring server-side encryption for both existing and new S3 buckets using AES-256. The s3-bucket-server-side-encryption-enabled AWS Config managed rule will continuously monitor the buckets to verify compliance, and the AWS-EnableS3BucketEncryption AWS Systems Manager Automation runbook will automatically remediate any buckets that are not encrypted. The initial manual run of the re-evaluation process ensures that all existing buckets are compliant.