Which solution will meet this requirement?
Ensure that all client implementations are using HTTPS to upload documents into the application.
Configure the s3-bucket-ssl-requests-only managed rule in AWS Config.
Add an S3 bucket policy that denies all S3 actions for condition “aws:secureTransport”: “false”.
Add an S3 bucket ACL with a grantee of AllUsers, a permission of WRITE, and a condition of secureTransport.
Explanations:
While using HTTPS is essential for encrypting data in transit, ensuring that all client implementations use HTTPS is not a direct solution to enforce encryption for uploads to S3. It relies on the clients to implement HTTPS correctly, which may not be guaranteed.
The s3-bucket-ssl-requests-only managed rule in AWS Config is intended to check whether S3 bucket policies enforce SSL requests. While this helps with monitoring compliance, it does not actively prevent uploads without encryption in transit.
Adding an S3 bucket policy that denies all S3 actions for the condition “aws”: “false” effectively prevents any uploads that are not using HTTPS (i.e., not encrypted in transit). This enforces the requirement at the bucket level.
Adding an S3 bucket ACL with a grantee of AllUsers and a permission of WRITE, along with a condition of secureTransport, is not a valid way to enforce encryption. Bucket ACLs do not support conditions, so this approach would not work to enforce encryption in transit for uploads.
If I’m not mistaken, the answer is:
Add an S3 bucket policy that denies all S3 actions for condition “aws:secureTransport”: “false”.
I outline that the answer is:
Add an S3 bucket policy that denies all S3 actions for condition “aws:secureTransport”: “false”.