A security engineer is designing a data protection strategy for a healthcare application that stores Protected Health Information (PHI) in an S3 bucket. The bucket is accessed by multiple AWS services, including Athena and SageMaker. Which TWO actions should the engineer take to ensure encryption at rest and in transit? (Choose two.)
AES-256 encryption (SSE-S3) encrypts data at rest.
Why this answer
Option A is wrong because while default encryption provides at-rest encryption, it does not enforce encryption in transit. Option B is correct because a bucket policy that denies requests without HTTPS ensures encryption in transit. Option C is correct because enabling bucket default encryption with SSE-S3 or SSE-KMS ensures encryption at rest.
Option D (CloudHSM) is not necessary for S3 encryption and adds complexity. Option E is wrong because Kinesis Data Firehose is not directly relevant to S3 encryption.