Courseiva
SAA-C03
Full test
mediummultiple choiceObjective-mapped

A batch process uploads artifacts to an Amazon S3 bucket using multipart uploads. The bucket policy contains a statement that explicitly denies PutObject and CreateMultipartUpload unless the request uses server-side encryption with AWS KMS (SSE-KMS) and includes these request headers/parameters: x-amz-server-side-encryption=aws:kms and x-amz-server-side-encryption-aws-kms-key-id set to a specific CMK. After the process was updated, uploads intermittently fail with AccessDenied errors. Which change is the best way to make uploads succeed while still meeting the bucket policy's encryption requirement?

Question 1mediummultiple choice
Full question →

A batch process uploads artifacts to an Amazon S3 bucket using multipart uploads. The bucket policy contains a statement that explicitly denies PutObject and CreateMultipartUpload unless the request uses server-side encryption with AWS KMS (SSE-KMS) and includes these request headers/parameters: x-amz-server-side-encryption=aws:kms and x-amz-server-side-encryption-aws-kms-key-id set to a specific CMK. After the process was updated, uploads intermittently fail with AccessDenied errors. Which change is the best way to make uploads succeed while still meeting the bucket policy's encryption requirement?

Full question →

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

A

Distractor review

Update the IAM role policy to add s3:PutObject permissions for the bucket prefix.

Even if IAM allows s3:PutObject, an explicit Deny in an S3 bucket policy still blocks the request. If the required SSE-KMS encryption headers, including the required CMK key ID, are not present, the policy Deny still applies.

B

Best answer

Update the uploader so the CreateMultipartUpload request includes SSE-KMS with the required CMK key ID; any separate PutObject uploads should include the same headers.

For multipart uploads, SSE-KMS is specified on CreateMultipartUpload rather than on individual UploadPart calls. Supplying the required SSE-KMS settings and CMK key ID on the upload initiation request satisfies the bucket policy's condition without weakening the encryption requirement.

C

Distractor review

Remove the bucket policy's explicit Deny statement so the IAM permissions control access.

Removing the Deny weakens the encryption enforcement requirement and would allow uploads that do not meet the SSE-KMS and specific CMK requirements.

D

Distractor review

Switch to client-side encryption (SSE-C) because it also encrypts data at rest in S3.

SSE-C does not satisfy the bucket policy conditions that specifically require SSE-KMS and the required x-amz-server-side-encryption-aws-kms-key-id for the designated CMK. Requests using SSE-C would still be denied.

Common exam trap

Common exam trap: ACLs stop at the first match

ACLs are processed top to bottom. The first matching entry wins, and an implicit deny usually exists at the end.

Technical deep dive

How to think about this question

ACL questions test precision: source, destination, protocol, port and direction. A generally correct ACL can still fail if it is applied on the wrong interface or in the wrong direction.

KKey Concepts to Remember

  • Standard ACLs match source addresses.
  • Extended ACLs can match source, destination, protocol and ports.
  • The first matching ACL entry is used.
  • There is usually an implicit deny at the end.

TExam Day Tips

  • Check inbound versus outbound direction.
  • Read the ACL from top to bottom.
  • Look for a broader permit or deny above the intended line.

Related practice questions

Related SAA-C03 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

SAA-C03 VPC practice questions

Practise SAA-C03 questions linked to SAA-C03 VPC.

SAA-C03 S3 lifecycle policy questions

Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.

SAA-C03 RDS Multi-AZ questions

Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.

SAA-C03 IAM policy practice questions

Practise SAA-C03 questions linked to SAA-C03 IAM policy.

SAA-C03 Route 53 failover questions

Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.

SAA-C03 CloudFront practice questions

Practise SAA-C03 questions linked to SAA-C03 CloudFront.

SAA-C03 NAT gateway questions

Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.

SAA-C03 VPC endpoint questions

Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.

SAA-C03 Auto Scaling practice questions

Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.

SAA-C03 disaster recovery questions

Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.

SAA-C03 high availability questions

Practise SAA-C03 questions linked to SAA-C03 high availability questions.

SAA-C03 cost optimization questions

Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

Question 1

A team needs to distribute TCP traffic (not HTTP) across multiple services. The services must see the original client source IP for auditing. Which AWS load balancer is the best fit?

Question 2

A team wants to run containerized services with AWS-managed orchestration and autoscaling. They do NOT require Kubernetes compatibility. Which AWS service choice is most appropriate to meet these goals?

Question 3

A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.

Question 4

A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

Question 5

A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?

Question 6

A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

FAQ

Questions learners often ask

What does this SAA-C03 question test?

Standard ACLs match source addresses.

What is the correct answer to this question?

The correct answer is: Update the uploader so the CreateMultipartUpload request includes SSE-KMS with the required CMK key ID; any separate PutObject uploads should include the same headers. — The bucket policy uses an explicit Deny that triggers unless upload requests use SSE-KMS with the specified CMK key ID. For multipart uploads, the required encryption parameters are set on CreateMultipartUpload, not on individual UploadPart calls. Updating the uploader to include the required SSE-KMS headers and correct CMK key ID on the multipart initiation request ensures the request does not match the Deny conditions, so uploads succeed without relaxing the encryption requirement. Option A only changes IAM allow permissions; it cannot override an explicit Deny in the bucket policy. Option C removes the security control rather than meeting the stated encryption requirement. Option D changes encryption type to SSE-C, which does not satisfy the bucket policy's SSE-KMS and CMK key ID conditions.

What should I do if I get this SAA-C03 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.

Discussion

Loading comments…

Sign in to join the discussion.