The x-amz-server-side-encryption header is used to specify the encryption method that should be used to encrypt objects uploaded to an Amazon S3 bucket. By updating the bucket policy to deny if the PutObject does not have this header set, the solutions architect can ensure that all objects uploaded to the bucket are encrypted.
Related reading because (as of Jan 2023) S3 buckets have encryption enabled by default.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html
"If you require your data uploads to be encrypted using only Amazon S3 managed keys, you can use the following bucket policy. For example, the following bucket policy denies permissions to upload an object unless the request includes the x-amz-server-side-encryption header to request server-side encryption:"
To encrypt an object at the time of upload, you need to add a header called x-amz-server-side-encryption to the request to tell S3 to encrypt the object using SSE-C, SSE-S3, or SSE-KMS. The following code example shows a Put request using SSE-S3.
https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/
The other options would not enforce encryption:
A) Requiring an s3:x-amz-acl header does not mandate encryption. This header controls access permissions.
B) Requiring an s3:x-amz-acl header set to private also does not enforce encryption. It only enforces private access permissions.
C) Requiring an aws:SecureTransport header ensures uploads use SSL but does not specify that objects must be encrypted. Encryption is not required when using SSL transport.
To encrypt an object at the time of upload, you need to add a header called x-amz-server-side-encryption to the request to tell S3 to encrypt the object using SSE-C, SSE-S3, or SSE-KMS. The following code example shows a Put request using SSE-S3.
https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/
To ensure that all objects uploaded to an Amazon S3 bucket are encrypted, the solutions architect should update the bucket policy to deny any PutObject requests that do not have an x-amz-server-side-encryption header set. This will prevent any objects from being uploaded to the bucket unless they are encrypted using server-side encryption.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
bdp123
Highly Voted 1 year, 9 months agoGrace83
1 year, 8 months agoGuru4Cloud
Highly Voted 1 year, 2 months agoawsgeek75
Most Recent 10 months, 3 weeks agokruasan
1 year, 6 months agokruasan
1 year, 6 months agokruasan
1 year, 6 months agoSbbh
1 year, 8 months agoGuru4Cloud
1 year, 2 months agoSteve_4542636
1 year, 8 months agoLuckyAro
1 year, 9 months agojennyka76
1 year, 9 months agozTopic
1 year, 9 months agoNeorem
1 year, 9 months ago