A company uses AWS Control Tower and AWS CloudFormation to manage its AWS accounts and to create AWS resources. The company requires all Amazon S3 buckets to be encrypted with AWS Key Management Service (AWS KMS) when the S3 buckets are created in a CloudFormation stack.
Which solution will meet this requirement?
To ensure that all Amazon S3 buckets created in a CloudFormation stack are encrypted with AWS Key Management Service (AWS KMS), AWS Control Tower should be utilized. Specifically, configuring and enabling proactive AWS Control Tower controls on all Organizational Units (OUs) with CloudFormation hooks is the solution. These proactive controls are preventive measures that block actions violating defined policies before they occur, thus ensuring that encryption gets applied automatically during the creation of S3 buckets within CloudFormation stacks. This approach not only aligns with the requirement but also leverages the built-in capabilities of AWS Control Tower to manage multi-account environments.
B is correct: <AWS Control Tower> means we need to use the proactive control A: SCP s3:PutObject permission only deny action related to put object to S3, not when creating it B: Detective controls used only for monitoring C: correct D: This option can achive the goal of the question. However, it is way more complicated than B.
Proactive controls: Proactive controls are preventative measures that block actions violating defined policies before they occur. This ensures encryption gets applied automatically during S3 bucket creation within CloudFormation stacks. CloudFormation hooks: Hooks enable Control Tower to intercept and enforce policies on CloudFormation stack operations, making it ideal for enforcing encryption during resource creation. Multi-account environment: Since the requirement applies across all accounts, Control Tower's multi-account capabilities ensure consistent policy enforcement throughout the organization.
The other options have limitations: A: While SCPs enforce policies, they react to actions instead of proactively preventing them. Additionally, denying s3:PutObject might be too restrictive as it can impact other legitimate operations. C: Detective controls monitor and report on existing resources, not preventing non-compliant creations. D: Config and SCPs combined address encryption checks and user limitations, but lack the direct integration with CloudFormation stacks crucial for enforcing during creation.
Here's the Control Tower proactive control: "[CT.S3.PR.10] Require an Amazon S3 bucket to have server-side encryption configured using an AWS KMS key" https://docs.aws.amazon.com/controltower/latest/controlreference/s3-rules.html#ct-s3-pr-10-description
B, 100%
B is better than D...
Answer B
keywords: proactive
Clearly answer is B , here is article that explains the same. https://aws.amazon.com/blogs/mt/how-aws-control-tower-users-can-proactively-verify-compliance-in-aws-cloudformation-stacks/ Answer D with config rule also fits the bill (if no control tower), but since we have Control tower managing the accounts already its better to make use of the features that Control tower leverages
Maybe D
Because of AWS Config
its B https://aws.amazon.com/blogs/mt/how-aws-control-tower-users-can-proactively-verify-compliance-in-aws-cloudformation-stacks/
D provides a solution that leverages AWS Organizations and AWS Config to enforce the requirement for AWS KMS encryption on all S3 buckets created through CloudFormation: AWS Config Organizational Rule: Create an AWS Config organizational rule to check whether a KMS encryption key is enabled for all S3 buckets. This rule helps ensure that the encryption requirement is enforced. Options A, B, and C do not directly address the requirement for AWS KMS encryption on S3 buckets created through CloudFormation: Option A mentions using an SCP but focuses on denying s3:PutObject without the required encryption header. However, this approach doesn't ensure that the encryption is enforced through AWS KMS. Options B and C mention using AWS Control Tower with proactive or detective controls, but they don't specifically address the encryption requirement for S3 buckets.
I am changing to B - Option B leverages AWS Control Tower, which is designed for managing multiple AWS accounts in a centralized and automated manner. By configuring and enabling proactive AWS Control Tower controls on all Organizational Units (OUs) with CloudFormation hooks, the company can ensure that all S3 buckets created within CloudFormation stacks adhere to the encryption requirement.