Which solution will meet this requirement?
Use AWS Organizations. Attach an SCP that denies the s3:PutObject permission if the request does not include an x-amz-server-side-encryption header that requests server-side encryption with AWS KMS keys (SSE-KMS).
Use AWS Control Tower with a multi-account environment. Configure and enable proactive AWS Control Tower controls on all OUs with CloudFormation hooks.
Use AWS Control Tower with a multi-account environment. Configure and enable detective AWS Control Tower controls on all OUs with CloudFormation hooks.
Use AWS Organizations. Create an AWS Config organizational rule to check whether a KMS encryption key is enabled for all S3 buckets. Deploy the rule. Create and apply an SCP to prevent users from stopping and deleting AWS Config across all AWS accounts,
Explanations:
While using an SCP to deny thes3:PutObjectpermission unless thex-amz-server-side-encryptionheader is included is a good approach for ensuring that objects are uploaded with KMS encryption, it does not enforce the requirement for all S3 buckets to be encrypted upon creation in a CloudFormation stack. It only addresses object uploads, not bucket creation.
Using AWS Control Tower to configure and enable proactive controls, combined with CloudFormation hooks, allows for the enforcement of S3 bucket encryption with KMS upon creation in stacks. Proactive controls can prevent resources that do not meet the specified compliance requirements from being created. This directly aligns with the requirement for encryption during bucket creation.
Detective controls in AWS Control Tower are designed for monitoring compliance rather than preventing non-compliant resources from being created. They can alert administrators about compliance issues but do not enforce encryption for S3 buckets upon their creation in CloudFormation stacks, making this option inadequate for the requirement.
Creating an AWS Config rule to check for KMS encryption on existing S3 buckets is a good practice for governance, but it does not prevent non-compliant buckets from being created in the first place. SCPs can control actions but are not specifically tied to ensuring that newly created S3 buckets have KMS encryption at the time of their creation in CloudFormation stacks.