You must ensure that all requests to an S3 bucket use TLS (HTTPS). Which S3 bucket policy approach best enforces this requirement for S3 access?

Allow all principals to GetObject when aws:SecureTransport is true

Allow-only approaches can be bypassed if other policy statements (identity-based or bucket policies) allow non-TLS requests. To enforce TLS for everyone regardless of other allows, you need an explicit Deny for non-TLS traffic.

Deny requests only when the bucket name is not matched exactly in the request

Bucket-name matching controls which bucket is targeted, not whether the request is made over TLS. An attacker can still send non-TLS requests while specifying the correct bucket name.

Require that the requester uses SSE-KMS and reject requests without SSE-KMS configuration

SSE-KMS controls encryption at rest (data stored in S3), not encryption in transit. A request can use non-TLS transport while still using SSE-KMS, so it does not meet the TLS requirement.

What does this SAA-C03 question test?

Standard ACLs match source addresses.

What is the correct answer to this question?

The correct answer is: Use a policy statement that explicitly Denies any action when aws:SecureTransport is false — Enforce TLS by adding an S3 bucket policy statement that explicitly Denies requests when aws:SecureTransport is false. This ensures that any request not made over HTTPS/TLS is rejected. The Deny statement is evaluated with higher precedence than any Allow statements, so it cannot be overridden by other bucket or IAM policy permissions. Allow statements conditioned only on aws:SecureTransport can still leave gaps if other policy statements allow non-TLS traffic. Denying based on bucket-name mismatch is unrelated to transport security. SSE-KMS relates to encryption at rest, not to TLS in transit.

What should I do if I get this SAA-C03 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.