A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with AWS KMS. Which policy should be used to enforce this?
Trap 1: Apply a bucket policy on each bucket denying PutObject without…
Bucket policies apply to individual buckets, not all buckets.
Trap 2: Enable AWS Config with the s3-bucket-server-side-encryption-enabled…
Config rules only detect non-compliant resources, they do not enforce.
Trap 3: Attach an IAM policy to each account's admin user requiring…
IAM policies are per-account and not inherited across accounts.
- A
Apply a bucket policy on each bucket denying PutObject without encryption
Why wrong: Bucket policies apply to individual buckets, not all buckets.
- B
Create an SCP at the root OU that denies s3:PutBucketAction without encryption
SCPs can deny actions across all accounts in the organization.
- C
Enable AWS Config with the s3-bucket-server-side-encryption-enabled rule
Why wrong: Config rules only detect non-compliant resources, they do not enforce.
- D
Attach an IAM policy to each account's admin user requiring encryption
Why wrong: IAM policies are per-account and not inherited across accounts.