What should a solutions architect do to ensure that all objects uploaded to an Amazon S3 bucket are encrypted?
Update the bucket policy to deny if the PutObject does not have an s3:x-amz-acl header set.
Update the bucket policy to deny if the PutObject does not have an s3:x-amz-acl header set to private.
Update the bucket policy to deny if the PutObject does not have an aws:SecureTransport header set to true.
Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set.
Explanations:
Thes3:x-amz-aclheader is used to specify the Access Control List (ACL) for the object, which does not enforce encryption. Therefore, updating the bucket policy based on this header will not ensure that objects are encrypted.
Similar to option A, thes3:x-amz-aclheader only controls the object’s access permissions. Setting it to private does not guarantee that the object is encrypted when uploaded.
Theaws:SecureTransportcondition checks whether the request is made using HTTPS. While it’s a good practice to ensure data in transit is secure, it does not enforce encryption of the objects stored in S3.
Thex-amz-server-side-encryptionheader is specifically used to enforce server-side encryption for objects uploaded to an S3 bucket. By updating the bucket policy to deny uploads that do not include this header, the solutions architect can ensure all objects are encrypted upon upload.
I evaluate that the answer is:
Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set.
In my opinion, the answer is:
Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set.