AWS Certified Solutions Architect – Associate (SAA-C03) — Question 287

What should a solutions architect do to ensure that all objects uploaded to an Amazon S3 bucket are encrypted?

Answer options

• A. Update the bucket policy to deny if the PutObject does not have an s3:x-amz-acl header set.
• B. Update the bucket policy to deny if the PutObject does not have an s3:x-amz-acl header set to private.
• C. Update the bucket policy to deny if the PutObject does not have an aws:SecureTransport header set to true.
• D. Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set.

Correct answer: D

Explanation

To enforce server-side encryption for all uploads to an Amazon S3 bucket, a bucket policy can be configured to deny s3:PutObject requests if they do not include the x-amz-server-side-encryption header. Options A and B focus on access control lists (ACLs) rather than encryption. Option C secures data in transit via HTTPS using aws:SecureTransport, but it does not ensure encryption at rest.