A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket examplebucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only. What should the Security Engineer do to achieve this?
A) Use envelope encryption with the AWS-managed CMK aws/s3.
B) Create a customer-managed CMK with a key policy granting "kms:Decrypt" based on the "${aws:username}" variable.
C) Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.
D) Change the applicable IAM policy to grant S3 access to "Resource": "arn:aws:s3:::examplebucket/${aws:username}/*"
Correct Answer:
Verified
Q118: For compliance reasons, an organization limits the
Q119: A distributed web application is installed across
Q120: A company recently experienced a DDoS attack
Q121: An application uses Amazon Cognito to manage
Q122: A company had one of its Amazon
Q124: A Security Engineer is setting up an
Q125: A company has enabled Amazon GuardDuty in
Q126: An organization receives an alert that indicates
Q127: A Security Administrator at a university is
Q128: A corporate cloud security policy states that
Unlock this Answer For Free Now!
View this answer and more for free by performing one of the following actions
Scan the QR code to install the App and get 2 free unlocks
Unlock quizzes for free by uploading documents