🔥 3-day streak
AWS Certified Security - Specialty104 / 184
Question 104 of 184
A financial services company encrypts sensitive customer records in an S3 bucket using a customer managed KMS key. Security policy requires that decryption of these records is only possible from within the company's VPC, using a VPC endpoint for KMS, and never from the public internet or other networks. Application EC2 instances in private subnets access the data through an interface VPC endpoint for KMS. Which approach best enforces this requirement?
Reviewed for accuracy · Report an issueNext question