AWS Certified Security – Specialty — Question 383

A company that builds document management systems recently performed a security review of its application on AWS. The review showed that uploads of documents through signed URLs into Amazon S3 could occur in the application without encryption in transit. A security engineer must implement a solution that prevents uploads that are not encrypted in transit.

Which solution will meet this requirement?

Answer options

• A. Ensure that all client implementations are using HTTPS to upload documents into the application.
• B. Configure the s3-bucket-ssl-requests-only managed rule in AWS Config.
• C. Add an S3 bucket policy that denies all S3 actions for condition “aws:secureTransport”: “false”.
• D. Add an S3 bucket ACL with a grantee of AllUsers, a permission of WRITE, and a condition of secureTransport.

Correct answer: C

Explanation

Applying an S3 bucket policy with an explicit deny for requests where "aws:secureTransport" is "false" successfully blocks any non-HTTPS traffic, including uploads initiated via presigned URLs. While AWS Config can detect non-compliant buckets, it does not actively block unencrypted uploads on its own. S3 bucket ACLs do not support conditional policies like secureTransport, and client-side enforcement cannot guarantee compliance at the bucket level.