A company stores sensitive data in Amazon S3 and wants to ensure that all objects are encrypted at rest. The security team has enabled default encryption on the S3 bucket using SSE-S3. However, an audit reveals that some objects are stored with SSE-KMS. How can the company enforce that only SSE-S3 is used for all future uploads, while still allowing existing SSE-KMS objects to be read?
Trap 1: Configure a bucket policy that denies s3:PutObject with…
This would also deny reading objects encrypted with SSE-KMS if the policy is applied to all actions.
Trap 2: Use an S3 Lifecycle policy to transition existing SSE-KMS objects…
Lifecycle policies do not change encryption of existing objects; they only transition storage class.
Trap 3: Disable SSE-KMS in the AWS KMS key policy to prevent its use.
Disabling the key would make existing SSE-KMS objects unreadable.
- A
Configure a bucket policy that denies s3:PutObject with s3:x-amz-server-side-encryption-aws:kms.
Why wrong: This would also deny reading objects encrypted with SSE-KMS if the policy is applied to all actions.
- B
Use an S3 Lifecycle policy to transition existing SSE-KMS objects to SSE-S3.
Why wrong: Lifecycle policies do not change encryption of existing objects; they only transition storage class.
- C
Apply a bucket policy that denies s3:PutObject unless the x-amz-server-side-encryption header is AES256.
This policy enforces SSE-S3 for uploads without affecting reads of existing objects.
- D
Disable SSE-KMS in the AWS KMS key policy to prevent its use.
Why wrong: Disabling the key would make existing SSE-KMS objects unreadable.