DOP-C02 Configuration Management and IaC • Set 16
DOP-C02 Configuration Management and IaC Practice Test 16 — 15 questions with explanations. Free, no signup.
An organization wants to ensure that all objects stored in the S3 bucket are encrypted at rest using server-side encryption with S3 managed keys (SSE-S3). The bucket policy above is intended to enforce this. However, a user reported that they can still upload unencrypted objects. What is the MOST likely reason?
Refer to the exhibit.
AWS CloudFormation template snippet:
Resources:
MyBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "${AWS::StackName}-data-${AWS::AccountId}"
VersioningConfiguration:
Status: Enabled
LifecycleConfiguration:
Rules:
- Id: ExpireOldVersions
Status: Enabled
NoncurrentVersionExpirationInDays: 30
MyBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref MyBucket
PolicyDocument:
Statement:
- Effect: Allow
Action: s3:GetObject
Principal: "*"
Resource: !Sub "${MyBucket.Arn}/*"
Condition:
StringEquals:
s3:x-amz-server-side-encryption: "AES256"