A company stores data in an S3 bucket.
Some of the data contains sensitive information.
They need to ensure that the bucket complies with PCI DSS compliance standards.
Which of the following should be implemented to fulfil this requirement? Choose 2 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A and D.
Here the main compliance should be to ensure there is encryption of objects at rest and in transit.
Hence one can achieve this with server-side encryption and ensuring that all communication with the S3 bucket is done via HTTPS.
For more information on the compliance with AWS, please refer to the below URL.
https://aws.amazon.com/compliance/pci-dss-level-1-faqs/To ensure that an S3 bucket is compliant with PCI DSS compliance standards while storing sensitive data, the following two measures must be implemented:
A. Enable server-side encryption for the bucket:
Server-side encryption is a method of encrypting data at rest that provides an additional layer of security. The S3 service can encrypt the data stored in the S3 bucket by using either SSE-S3 (Server-Side Encryption with Amazon S3-Managed Keys) or SSE-KMS (Server-Side Encryption with Customer-Provided Keys) or SSE-C (Server-Side Encryption with Customer-Provided Keys).
SSE-S3 encrypts the data with AES-256 encryption and manages the encryption keys for the user. With SSE-KMS, the encryption keys are managed and controlled by the customer. SSE-C enables users to provide their own encryption keys to encrypt the data stored in S3. It is recommended to use server-side encryption with KMS or S3-managed keys when storing sensitive data in S3 buckets to meet PCI DSS compliance standards.
D. Ensure that objects from the bucket are requested only via HTTPS:
To ensure that the data in the S3 bucket is securely transmitted, it is necessary to enforce that all requests to the bucket are made using HTTPS instead of HTTP. HTTPS provides encrypted communication between the client and the S3 service endpoint, preventing unauthorized access or interception of data.
The remaining options (B and C) are not directly related to PCI DSS compliance but may provide additional benefits in terms of data management or access control.
B. Enable versioning for the bucket:
Versioning is a feature that allows users to preserve, retrieve, and restore every version of an object in the bucket. This is useful for tracking changes to an object over time or recovering from accidental deletions or overwrites. However, versioning is not a direct requirement for PCI DSS compliance.
C. Ensure that access to the bucket is only given to one IAM Role:
It is important to restrict access to sensitive data stored in the S3 bucket. Access to S3 resources can be controlled using IAM roles, policies, and permissions. However, limiting access to a single IAM role may not be practical or feasible, especially for large organizations or complex data environments. While access control is an important aspect of PCI DSS compliance, it is not a direct requirement for PCI DSS compliance.