
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
What should a solutions architect do to ensure that all objects uploaded to an Amazon S3 bucket are encrypted?
A
Update the bucket policy to deny if the PutObject does not have an s3:x-amz-acl header set.
B
Update the bucket policy to deny if the PutObject does not have an s3:x-amz-acl header set to private.
C
Update the bucket policy to deny if the PutObject does not have an aws:SecureTransport header set to true.
D
Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set.
Explanation:
Correct Answer: D - Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set.
Why this is correct:
x-amz-server-side-encryption header: This is the specific header that controls server-side encryption for S3 objects. When this header is present in a PutObject request, it ensures that the object will be encrypted using either SSE-S3 (AES-256) or SSE-KMS encryption.
Bucket policy enforcement: By creating a bucket policy that denies PutObject requests that don't include this header, you can enforce encryption at the bucket level. This is a proactive security measure that prevents unencrypted data from being stored.
Common patterns: This is a standard AWS security best practice for ensuring all data in S3 buckets is encrypted.
Why the other options are incorrect:
A & B: These options refer to s3:x-amz-acl header, which controls access control lists (ACLs) for objects, not encryption. ACLs determine who can access objects, not whether they are encrypted.
C: The aws:SecureTransport condition key is used to enforce HTTPS/TLS encryption in transit, not server-side encryption at rest. While important for data in transit, it doesn't ensure encryption of data at rest in S3.
Additional context:
The x-amz-server-side-encryption header can have values like:
AES256 for SSE-S3 encryptionaws:kms for SSE-KMS encryptionaws:kms:dsse for dual-layer server-side encryption with KMS keysThis approach ensures encryption is enforced at the API level before objects are stored, providing a strong security control for compliance requirements.