Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For AWS DVA-C02 candidates, the confusion often lies in distinguishing client-side encryption from bucket policy controls and understanding how HTTPS enforcement works in S3 bucket policies. In production, this is about knowing exactly how to programmatically encrypt data with AWS KMS before upload while also ensuring all incoming traffic to your bucket is securely transmitted over TLS. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
A fintech startup, FinEdge Inc., has developed a web application that stores sensitive customer financial documents in an Amazon S3 bucket. Regulatory compliance mandates that all objects containing personally identifiable information (PII) must be encrypted at rest using AWS KMS-managed keys that support on-demand rotation. Additionally, the company wants to ensure the encryption of data in transit between the client applications and the S3 bucket.
The Requirement: #
Design the solution so that all PII files uploaded are encrypted client-side using AWS KMS customer-managed keys (CMKs) before being stored, and enforce that all connections to the S3 bucket use encrypted HTTPS transport.
The Options #
- A) Write an S3 bucket policy to allow only encrypted connections over HTTPS by using permissions boundaries.
- B) Configure an S3 bucket policy to enable client-side encryption for the objects containing personal data by using an AWS KMS customer managed key.
- C) Configure the application to encrypt the objects by using an AWS KMS customer managed key before uploading the objects containing personal data to Amazon S3.
- D) Write an S3 bucket policy to allow only encrypted connections over HTTPS by using the aws:SecureTransport condition.
- E) Configure S3 Block Public Access settings for the S3 bucket to allow only encrypted connections over HTTPS.
Google adsense #
leave a comment:
Correct Answer #
C and D
Quick Insight: The Developer Imperative #
Data must be encrypted before upload via the AWS SDK using KMS-managed client-side encryption (C), while HTTPS enforcement is correctly done with an S3 bucket policy condition requiring
aws:SecureTransport(D). Bucket policies do not enable encryption themselves—they enforce access controls and transport rules.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option C and Option D
The Winning Logic #
-
Option C: Client-side encryption using AWS KMS customer-managed keys requires that the application encrypts the data before upload. This means using the AWS SDK’s encryption client or SDK-supported client-side encryption features keyed by the specified CMK. This ensures data is already encrypted at rest when it hits S3, fulfilling compliance and on-demand key rotation.
-
Option D: To enforce that all connections to S3 use HTTPS (in-transit encryption), an S3 bucket policy condition with
aws:SecureTransportmust be set to true. This blocks any requests over unencrypted HTTP.
Together, these two steps meet both requirements: client-side KMS encryption for at-rest security plus enforcement of encrypted client-to-bucket transport.
The Trap (Distractor Analysis): #
-
Why not A? Permissions boundaries apply to IAM principals, not bucket policies. You cannot enforce HTTPS only via permissions boundaries on the bucket.
-
Why not B? S3 bucket policies do not “enable” client-side encryption; they control access. Client-side encryption is implemented inside the app before upload.
-
Why not E? S3 Block Public Access controls public ACL and policy settings but does not enforce HTTPS connections.
The Technical Blueprint #
# Example S3 bucket policy snippet to enforce HTTPS:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceHTTPSOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::finedge-sensitive-data",
"arn:aws:s3:::finedge-sensitive-data/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
# Sample AWS SDK client-side encryption usage (Node.js):
const { S3Client, PutObjectCommand } = require("@aws-sdk/client-s3");
const { KMSClient } = require("@aws-sdk/client-kms");
const { S3EncryptionClient, encrypt } = require("@aws-sdk/client-s3-encryption");
// Configure KMS CMK and encryption client
const kmsClient = new KMSClient({ region: "us-east-1" });
const encryptionClient = new S3EncryptionClient(s3Client, {
kmsClient,
keyIds: ["arn:aws:kms:us-east-1:123456789012:key/abcd-efgh-ijkl"],
});
async function uploadEncryptedObject(bucket, key, body) {
const command = new PutObjectCommand({
Bucket: bucket,
Key: key,
Body: body,
});
// Encrypt before upload
await encryptionClient.send(command);
}
The Comparative Analysis #
| Option | API Complexity | Performance | Use Case |
|---|---|---|---|
| A | Permissions boundary not applicable | N/A | Incorrect enforcement method for HTTPS |
| B | Bucket policy control only | N/A | Misconception: bucket policy can’t enforce encryption |
| C | Requires AWS SDK client-side logic | Moderate encryption overhead | Encrypts data before upload with KMS CMK |
| D | Simple bucket policy condition | None | Ensures HTTPS-only access to bucket |
| E | Block public access setting | N/A | Controls public access, not transport encryption |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick bucket policy with aws:SecureTransport for in-transit encryption enforcement.
Real World #
In reality, you may also use signed URLs or CloudFront with HTTPS enforced to further protect client-to-S3 communication while combining that with SDK-managed client-side encryption for sensitive data.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.