AWS Certified Developer - Associate
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
A developer is maintaining an application that leverages an Amazon S3 bucket for data storage. This application interacts with the bucket through an HTTP API to perform operations such as storing and retrieving objects. It is crucial that whenever the PutObject API operation is invoked to add objects to the S3 bucket, the objects must be encrypted at rest using server-side encryption with Amazon S3-managed keys (SSE-S3).
Which strategy will ensure that any upload request that does not comply with the required encryption is automatically rejected and not processed?
Explanation:
SSE-S3 server-side encryption protects data at rest. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available to encrypt your data, 256-bit Advanced Encryption Standard (AES-256).
You can use the following bucket policy to deny permissions to upload an object unless the request includes the x-amz-server-side-encryption header to request server-side encryption using SSE-S3:
{ "Version": "2012-10-17", "Id": "PutObjectPolicy", "Statement": [ { "Sid": "DenyIncorrectEncryptionHeader", "Effect": "Deny", "Principal": "", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "AES256" } } }, { "Sid": "DenyUnencryptedObjectUploads", "Effect": "Deny", "Principal": "", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/", "Condition": { "Null": { "s3:x-amz-server-side-encryption": "true" } } } ] }