🔥 3-day streak
AWS Certified Security - Specialty102 / 184
Question 102 of 184

A financial services company classifies data into three tiers: Public, Internal, and Restricted. Restricted data must be encrypted with a dedicated KMS customer managed key, and the security team requires that any object tagged 'classification=Restricted' stored in S3 be encrypted only with that specific key. Developers currently upload objects using SSE-KMS but can select any KMS key in the account. The security team wants to enforce that Restricted-classified uploads fail unless the correct CMK is used, while allowing other keys for lower tiers. Which approach BEST enforces this requirement?

Reviewed for accuracy · Report an issueNext question