AWS KMS Integration

Correct Answer: Enable S3 bucket default encryption with AWS KMS (SSE-KMS) so new objects are automatically encrypted without requiring client changes.

Enabling S3 bucket default encryption with AWS KMS (SSE-KMS) ensures that all new objects written to the bucket are automatically encrypted with the specified KMS key, even if the uploader does not include any encryption headers. This approach is transparent to clients and avoids disrupting existing applications or workflows. While a bucket policy that requires the x-amz-server-side-encryption header can enforce encryption, it often breaks existing clients that do not set the header, causing operational disruption. AWS Organizations Service Control Policies cannot reliably enforce per-object SSE-KMS for S3 PUT operations across all scenarios. Disabling public access and using IAM roles are good security practices but do not ensure SSE-KMS encryption. For existing unencrypted objects, use S3 Batch Operations or a copy/rewrite process to re-encrypt with SSE-KMS.

Correct Answer: Enable encryption at rest when creating the EFS file system.

To enable KMS encryption at rest for EFS, select the option during the EFS file system creation process. Other answers involve methods that are not supported or inefficient.

Correct Answer: Create a KMS key and select the key when creating the RDS instance.

To enable server-side encryption at rest for Amazon RDS using AWS KMS, you must specify an AWS KMS key when creating the DB instance. RDS will then use that key to encrypt the underlying storage and automated backups, snapshots, and read replicas. Encryption cannot be enabled on an existing unencrypted DB instance without restoring from an encrypted snapshot. Assigning a KMS IAM role to RDS is not a configuration step; access is governed by KMS key policies when you select the key. Security groups are unrelated to KMS. Encrypting data with the KMS SDK is a separate client-side approach and does not enable RDS-managed encryption at rest.