AWS S3 IAM Policy for Encrypted Data Uploads

Secure Data Uploads with the Correct IAM Policy

Question

Your financial services organization is using the AWS S3 service to store highly sensitive data.

What is the correct IAM Policy that must be applied to ensure that all objects uploaded to the S3 bucket are encrypted?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: A.

Option A is CORRECT because you must use the s3:x-amz-server-side-encryption condition key to ensure all objects uploaded in the S3 bucket are encrypted.

Option B is incorrect because the resource should be "arn:aws:s3:::SensitiveDataBucket/*" instead of "arn:aws:s3:::SensitiveDataBucket".

Option C is incorrect because you must use the s3:x-amz-server-side-encryption condition key to ensure all objects uploaded in the S3 bucket are encrypted.

Option D is incorrect because you must use the s3:x-amz-server-side-encryption condition key to ensure all objects uploaded in the S3 bucket are encrypted.

Reference:

In order to grant s3: PutObject permission requiring objects stored using Server-Side Encryption, the Account administrator can accomplish using the s3:x-amz-server-side-encryption condition key as shown.

The key-value pair in the Condition block specifies the s3:x-amz-server-side-encryption key.

"Condition": {

"StringNotEquals": {

"s3:x-amz-server-side-encryption": "AES256"

}

https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html

The correct IAM policy that must be applied to ensure that all objects uploaded to the S3 bucket are encrypted is option A:

json
{ "Version":"2012-10-17", "Id":"PutObjPolicy", "Statement":[{ "Sid":"DenyUnEncryptedObjectUploads", "Effect":"Deny", "Principal":"*", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::SensitiveDataBucket/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption":"AES256" } } } ] }

Explanation:

The IAM policy statement includes the following elements:

  • Version: Indicates the policy language version.

  • Id: Optional identifier for the policy statement.

  • Statement: Contains an array of one or more policy statements.

  • Sid: Optional identifier for the policy statement.

  • Effect: Specifies whether the policy statement allows or denies access.

  • Principal: Specifies the user, account, service, or other entity that the policy statement applies to.

  • Action: Specifies the action or actions that are allowed or denied.

  • Resource: Specifies the resource or resources that the policy statement applies to.

  • Condition: Specifies the circumstances under which the policy statement applies.

In this IAM policy statement, the following rules are applied:

  • Effect: Deny: This policy statement denies access to the specified actions.

  • Principal: *: This policy statement applies to all users, accounts, services, or other entities.

  • Action: s3:PutObject: This policy statement applies to the PutObject action.

  • Resource: arn:aws:s3:::SensitiveDataBucket/*: This policy statement applies to all objects in the SensitiveDataBucket S3 bucket.

  • Condition: StringNotEquals: This condition statement specifies that the policy statement applies only when the value of s3:x-amz-server-side-encryption is not equal to AES256.

Overall, this IAM policy statement ensures that any PutObject action performed on the SensitiveDataBucket S3 bucket will be denied if the object being uploaded is not encrypted with the AES256 server-side encryption algorithm.