What should a solutions architect do to ensure that all objects uploaded to an Amazon S3 bucket are encrypted?
Update the bucket policy to deny if the PutObject does not have an s3:x-amz-acl header set.
Update the bucket policy to deny if the PutObject does not have an s3:x-amz-acl header set to private.
Update the bucket policy to deny if the PutObject does not have an aws:SecureTransport header set to true.
Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set.
Explanations:
Thes3:x-amz-aclheader is used to specify the access control list (ACL) for the object being uploaded, not for enforcing encryption. Therefore, updating the bucket policy based on this header does not ensure encryption.
Similar to Option A, thes3:x-amz-aclheader is related to object access permissions and does not pertain to encryption. Denying based on this header will not enforce that uploaded objects are encrypted.
Theaws:SecureTransportcondition is used to enforce that requests are made over HTTPS, which enhances security but does not ensure that the objects are encrypted at rest. This condition alone will not fulfill the requirement of enforcing encryption on uploaded objects.
Thex-amz-server-side-encryptionheader is specifically used to indicate that the object being uploaded should be encrypted using server-side encryption (SSE). Updating the bucket policy to deny uploads that do not include this header effectively enforces that all objects are uploaded with encryption.
I arrange that the answer is:
Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set.