AWS Certified Solutions Architect – Associate (SAA-C02) — Question 209

What should a solutions architect do to ensure that all objects uploaded to an Amazon S3 bucket are encrypted?

Answer options

• A. Update the bucket policy to deny if the PutObject does not have an s3:x-amz-acl header set.
• B. Update the bucket policy to deny if the PutObject does not have an s3:x-amz-acl header set to private.
• C. Update the bucket policy to deny if the PutObject does not have an aws:SecureTransport header set to true.
• D. Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set.

Correct answer: D

Explanation

The correct answer is D because requiring the x-amz-server-side-encryption header ensures that all objects are encrypted on the server side upon upload. Options A and B are incorrect as they pertain to access control rather than encryption, and option C relates to secure transport but does not enforce encryption of the objects themselves.