A company is designing a solution to serve content from an Amazon CloudFront distribution that will have an Amazon S3 bucket as the origin. A security engineer needs to encrypt S3 data at rest with an AWS Key Management Service (KMS) customer managed key rather than with an S3 managed key. The solution must minimize operational overhead. Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

Topic #: - All AWS Certified Security - Specialty Questions

A. Create the S3 bucket. Configure server-side encryption with a customer managed KMS key. Most Voted
B. Create the S3 bucket. Configure server-side encryption with customer-provided encryption keys (SSE-C).
C. Create the CloudFront distribution. Use the S3 bucket as the origin. Configure the distribution to use an origin access identity (OAI).
D. Create the CloudFront distribution. Use the S3 bucket as the origin. Delete the origin access identity (OAI) configuration. Most Voted
E. Configure the CloudFront distribution cache to encrypt data at rest by using the customer managed KMS key.
F. Create a Lambda@Edge function that runs for origin request events and reads from the S3 bucket by using the customer managed KMS key. Most Voted

- Awsexamhub website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Suggested Answer:

Reference Material:

Suggested Answer:

Reference Material:

Share this post

Join the Discussion