A data engineer needs to ensure that an Amazon S3 bucket used for sensitive data is encrypted at rest using a customer-managed AWS KMS key. The bucket policy must enforce encryption for all PUT requests. Which policy statement should be added to the bucket policy?
Trap 1: {"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":…
This denies unencrypted requests but does not enforce the specific KMS key.
Trap 2: {"Effect":"Allow","Principal":"*","Action":"s3:PutObject","Resource"…
This allows requests with the specific key but does not deny unencrypted requests.
Trap 3: {"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":…
This denies only if the key does not match, but allows unencrypted requests because the condition is not checked when the header is missing.
- A
{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"Null":{"s3:x-amz-server-side-encryption":"true"}}}
Why wrong: This denies unencrypted requests but does not enforce the specific KMS key.
- B
{"Effect":"Allow","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringEquals":{"s3:x-amz-server-side-encryption-aws-kms-key-id":"arn:aws:kms:us-east-1:123456789012:key/abc123"}}}
Why wrong: This allows requests with the specific key but does not deny unencrypted requests.
- C
{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"aws:kms"},"Null":{"s3:x-amz-server-side-encryption-aws-kms-key-id":"true"}}}
This denies if encryption is not aws:kms or if the key ID is not provided, enforcing the required encryption.
- D
{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption-aws-kms-key-id":"arn:aws:kms:us-east-1:123456789012:key/abc123"}}}
Why wrong: This denies only if the key does not match, but allows unencrypted requests because the condition is not checked when the header is missing.