A company has an Amazon S3 bucket that contains sensitive data. The data must be encrypted in transit and at rest. The company encrypts the data in the S3 bucket by using an AWS Key Management Service (AWS KMS) key. A developer needs to grant several other AWS accounts the permission to use the S3 GetObject operation to retrieve the data from the S3 bucket.
How can the developer enforce that all requests to retrieve the data provide encryption in transit?
To enforce encryption in transit, the correct approach is to define a resource-based policy on the S3 bucket to deny access when a request meets the condition "aws:SecureTransport": "false". This ensures that any request to retrieve data from the S3 bucket must be made over a secure connection (i.e., HTTPS), thereby providing encryption in transit. By setting this policy at the bucket level, it applies to all access attempts, regardless of the account they originate from.
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/
aaaaaaaaa
A is the right , why C is highlighted its wrong
Question says "other AWS accounts"
Doesn't matter. C doesn't provide the expected solution
A is correct
A. Define a resource-based policy on the S3 bucket to deny access when a request meets the condition "aws:SecureTransport": "false". This option is the correct solution to enforce that all requests to retrieve the data provide encryption in transit. By defining a resource-based policy on the S3 bucket, you can specify the "aws:SecureTransport" condition to deny access to any request that does not use encryption in transit. This ensures that all requests to retrieve the data are encrypted in transit, which is a requirement for the sensitive data stored in the S3 bucket. Option C is also incorrect because it only applies to the other accounts' roles, and not to all requests to retrieve the data.
Answer is C https://repost.aws/knowledge-center/cross-account-access-s3 Cross-account IAM roles for programmatic and console access to S3 bucket objects
I will go with A as well. Even if we have specific users, we have to stabilish a policy on the S3 bucket to deny all the requests that have "aws:SecureTransport":"false"