AWS Certified Solutions Architect - Associate

Explanation

Correct Answer: D - Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set.

Why this is correct:

1. x-amz-server-side-encryption header: This is the specific header that controls server-side encryption for S3 objects. When this header is present in a PutObject request, it ensures that the object will be encrypted using either SSE-S3 (AES-256) or SSE-KMS encryption.

2. Bucket policy enforcement: By creating a bucket policy that denies PutObject requests that don't include this header, you can enforce encryption at the bucket level. This is a proactive security measure that prevents unencrypted data from being stored.

3. Common patterns: This is a standard AWS security best practice for ensuring all data in S3 buckets is encrypted.

Why the other options are incorrect:

• A & B: These options refer to s3:x-amz-acl header, which controls access control lists (ACLs) for objects, not encryption. ACLs determine who can access objects, not whether they are encrypted.

• C: The aws:SecureTransport condition key is used to enforce HTTPS/TLS encryption in transit, not server-side encryption at rest. While important for data in transit, it doesn't ensure encryption of data at rest in S3.

Additional context:

• The x-amz-server-side-encryption header can have values like:

  • AES256 for SSE-S3 encryption
  • aws:kms for SSE-KMS encryption
  • aws:kms:dsse for dual-layer server-side encryption with KMS keys

• This approach ensures encryption is enforced at the API level before objects are stored, providing a strong security control for compliance requirements.