Answer: Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set.

## Explanation **Correct Answer: D** - Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set. **Why this is correct:** 1. **x-amz-server-side-encryption header**: This is the specific header that controls server-side encryption for S3 objects. When this header is present in a PutObject request, it ensures that the object will be encrypted using either SSE-S3 (AES-256) or SSE-KMS encryption. 2. **Bucket policy enforcement**: By creating a bucket policy that denies PutObject requests that don't include this header, you can enforce encryption at the bucket level. This is a proactive security measure that prevents unencrypted data from being stored. 3. **Common patterns**: This is a standard AWS security best practice for ensuring all data in S3 buckets is encrypted. **Why the other options are incorrect:** - **A & B**: These options refer to `s3:x-amz-acl` header, which controls access control lists (ACLs) for objects, not encryption. ACLs determine who can access objects, not whether they are encrypted. - **C**: The `aws:SecureTransport` condition key is used to enforce HTTPS/TLS encryption in transit, not server-side encryption at rest. While important for data in transit, it doesn't ensure encryption of data at rest in S3. **Additional context:** - The `x-amz-server-side-encryption` header can have values like: - `AES256` for SSE-S3 encryption - `aws:kms` for SSE-KMS encryption - `aws:kms:dsse` for dual-layer server-side encryption with KMS keys - This approach ensures encryption is enforced at the API level before objects are stored, providing a strong security control for compliance requirements.

Author: LeetQuiz Editorial Team