A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket examplebucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only. What should the Security Engineer do to achieve this?

Topic #: - All AWS Certified Security - Specialty Questions

A. Use envelope encryption with the AWS-managed CMK aws/s3.
B. Create a customer-managed CMK with a key policy granting ג€kms:Decryptג€ based on the ג€${aws:username}ג€ variable.
C. Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.
D. Change the applicable IAM policy to grant S3 access to ג€Resourceג€: ג€arn:aws:s3:::examplebucket/${aws:username}/*ג€

- Awsexamhub website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Suggested Answer:

Reference Material:

Suggested Answer:

Reference Material:

Share this post

Join the Discussion