Answer-first summary for fast verification
Answer: Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Configure default encryption for each S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). Assign the compliance team to manage the KMS keys.
## Explanation Let's analyze each option against the requirements: **Requirements:** 1. Encrypt PHI in transit (HTTPS/TLS) 2. Encrypt PHI at rest 3. Compliance team must administer the encryption key for data at rest **Option A Analysis:** - Creates SSL/TLS certificate in ACM (good for encryption in transit) - Associates certificate with S3 (not necessary for S3 encryption in transit) - Configures SSE-KMS (good for encryption at rest with customer-managed keys) - Assigns compliance team to manage KMS keys (meets requirement #3) - **Issue:** Missing the `aws:SecureTransport` condition to enforce HTTPS-only access **Option B Analysis:** - Uses `aws:SecureTransport` condition (enforces HTTPS/TLS, meets requirement #1) - Configures SSE-S3 (encryption at rest, but with S3-managed keys) - Assigns compliance team to manage SSE-S3 keys (problem: SSE-S3 keys are managed by AWS, not customers) - **Issue:** SSE-S3 keys cannot be administered by customers - they are fully managed by AWS **Option C Analysis:** - Uses `aws:SecureTransport` condition (enforces HTTPS/TLS, meets requirement #1) - Configures SSE-KMS (encryption at rest with KMS keys, meets requirement #2) - Assigns compliance team to manage KMS keys (meets requirement #3 - KMS keys can be customer-managed) - **Perfect:** Meets all requirements **Option D Analysis:** - Uses `aws:SecureTransport` condition (enforces HTTPS/TLS, meets requirement #1) - Uses Amazon Macie (for data discovery and classification, not for encryption) - Assigns compliance team to manage Macie (doesn't meet encryption at rest requirement) - **Issue:** Macie doesn't provide encryption; it's for data discovery and protection, not encryption **Key Points:** - `aws:SecureTransport` condition in S3 bucket policies is the correct way to enforce HTTPS/TLS encryption in transit - SSE-KMS allows customers to manage their own encryption keys through AWS KMS - SSE-S3 uses AWS-managed keys that customers cannot administer - Amazon Macie is for data discovery, classification, and protection, not for encryption implementation **Correct Answer: C** - It properly enforces HTTPS with `aws:SecureTransport`, uses SSE-KMS for encryption at rest with customer-managed keys, and allows the compliance team to administer the KMS keys.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A hospital needs to store patient records in an Amazon S3 bucket. The hospital's compliance team must ensure that all protected health information (PHI) is encrypted in transit and at rest. The compliance team must administer the encryption key for data at rest.
Which solution will meet these requirements?
A
Create a public SSL/TLS certificate in AWS Certificate Manager (ACM). Associate the certificate with Amazon S3. Configure default encryption for each S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). Assign the compliance team to manage the KMS keys.
B
Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Configure default encryption for each S3 bucket to use server-side encryption with S3 managed encryption keys (SSE-S3). Assign the compliance team to manage the SSE-S3 keys.
C
Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Configure default encryption for each S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). Assign the compliance team to manage the KMS keys.
D
Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Use Amazon Macie to protect the sensitive data that is stored in Amazon S3. Assign the compliance team to manage Macie.