AWS Certified Security - Specialty (#97)

A company is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The Security team has the following requirements for the architecture: • Data must be encrypted in transit. • Data must be encrypted at rest. • The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential. Which combination of steps would meet the requirements? (Choose two.)

Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket.
Enable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket.
Add a bucket policy that includes a deny if a
PutObject
request does not include
aws:SecureTransport
.
Add a bucket policy with
aws:SourceIp
to
Allow
uploads and downloads from the corporate intranet only.
Add a bucket policy that includes a deny if a
PutObject
request does not include
s3:x-amz-server-side-encryption: "aws:kms"
.
Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.