An organization requires that all Amazon S3 buckets be encrypted at rest by default. A SysOps administrator needs to enforce this using AWS Config. Which AWS Config managed rule should be used?
Trap 1: s3-bucket-ssl-requests-only
Incorrect. This rule enforces encryption in transit (SSL/TLS), not encryption at rest.
Trap 2: s3-bucket-public-read-prohibited
Incorrect. This rule prevents public read access, unrelated to encryption.
Trap 3: s3-bucket-logging-enabled
Incorrect. This rule checks if server access logging is enabled, not encryption.
- A
s3-bucket-encryption-enabled
Correct. This rule evaluates whether default encryption is configured on the bucket, meeting the requirement for encryption at rest.
- B
s3-bucket-ssl-requests-only
Why wrong: Incorrect. This rule enforces encryption in transit (SSL/TLS), not encryption at rest.
- C
s3-bucket-public-read-prohibited
Why wrong: Incorrect. This rule prevents public read access, unrelated to encryption.
- D
s3-bucket-logging-enabled
Why wrong: Incorrect. This rule checks if server access logging is enabled, not encryption.