A security requirement states: all uploads to an S3 bucket must (1) use TLS in transit and (2) use server-side encryption with AWS KMS (SSE-KMS) using the CMK key id 'abcd-1234'; otherwise the upload should be rejected. A developer reports that uploads are succeeding even though clients are sometimes using non-encrypted requests. Which bucket policy approach most directly enforces both controls?

Add an Allow statement granting s3:PutObject to the developer role; rely on IAM conditions in the developer role to enforce TLS and SSE-KMS.

A bucket policy Allow does not directly enforce the requirement in a way that rejects noncompliant requests. IAM conditions on the developer role may not apply to every caller (for example, other principals) and are not centrally enforced at the bucket level. The most direct enforcement for a bucket-wide requirement is a policy that explicitly Denies noncompliant PutObject requests based on request attributes.

Enable S3 default encryption to SSE-KMS and remove any bucket policy enforcement, since default encryption automatically rejects all noncompliant uploads.

S3 default encryption applies only when clients omit encryption headers. It does not reliably enforce that the client used a specific CMK key id when encryption headers are provided, and it does not guarantee rejection of explicit noncompliant encryption headers.

Attach a WAF rule to the S3 website endpoint to block non-TLS requests, because bucket policies cannot evaluate aws:SecureTransport.

WAF generally applies to supported front-end integrations (such as CloudFront or API Gateway). S3 website endpoints are not the standard S3 API path for PutObject. In contrast, bucket policies can evaluate aws:SecureTransport for S3 API requests, so WAF is not the correct control here.

What does this SAA-C03 question test?

Standard ACLs match source addresses.

What is the correct answer to this question?

The correct answer is: Use Deny statements that reject PutObject when aws:SecureTransport is false and reject PutObject when s3:x-amz-server-side-encryption is not 'aws:kms' or when s3:x-amz-server-side-encryption-aws-kms-key-id does not equal 'abcd-1234'. — The most direct way to enforce both requirements at the bucket level is to use explicit Deny statements in the bucket policy conditioned on request attributes. Deny PutObject when aws:SecureTransport is false to block non-TLS uploads. Also deny PutObject when the SSE-KMS request headers indicate encryption is missing or not using aws:kms, and when the provided CMK key id (s3:x-amz-server-side-encryption-aws-kms-key-id) does not match 'abcd-1234'. Because explicit Deny overrides any identity-based Allow, noncompliant uploads fail consistently even if IAM permissions are broad. Option A relies on IAM-side conditions, which are not centrally enforced for every possible caller and may not cover all principals that can PutObject. Option C misunderstands default encryption: it mainly covers cases where headers are omitted and does not enforce rejection based on explicit, incorrect SSE-KMS headers. Option D is incorrect because WAF is not a direct replacement for bucket policy enforcement of aws:SecureTransport for S3 API calls.

What should I do if I get this SAA-C03 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.