What should a solutions architect do to ensure that all objects uploaded to an Amazon S3 bucket are encrypted?
Choose an answer
Tap an option to check your answer.
Correct answer: Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set..
Why this is the answer
To ensure all objects uploaded to an S3 bucket are encrypted, a solutions architect should use a bucket policy that denies s3:PutObject requests unless the x-amz-server-side-encryption header is present. This header indicates that the object is being uploaded with server-side encryption. If this header is missing, the policy will deny the upload, enforcing encryption for all new objects. The s3:x-amz-acl header relates to access control lists, not encryption, so denying based on its absence or value won't enforce encryption. The aws:SecureTransport header ensures data is transferred over HTTPS, which is good practice for security, but it does not enforce server-side encryption of the object at rest within S3.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed