Your company requires that all requests to an S3 bucket use HTTPS and that all objects uploaded to the bucket are encrypted at rest. You manage the S3 bucket policy and want enforcement that does not rely on application code compliance.
Which bucket policy change best enforces both requirements?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
Add a Deny statement for all S3 actions on the bucket and its objects when aws:SecureTransport is false, and add a Deny statement for s3:PutObject when the request does not specify server-side encryption with AES256 (s3:x-amz-server-side-encryption = "AES256").
This enforces HTTPS for all S3 requests by denying any non-TLS access and enforces encryption at rest by denying uploads that do not request SSE-S3. Because the controls are in the bucket policy, compliance does not depend on application behavior.
Use S3 website hosting to redirect users to HTTPS and rely on bucket default encryption for all uploads.
Website redirects do not enforce HTTPS for SDK or API calls, and default encryption does not ensure requests are rejected when the application omits encryption settings. This is not a policy-based enforcement approach.
Add a Deny statement for s3:GetObject when aws:SecureTransport is false, and enable default encryption on the bucket.
This only blocks non-TLS reads, not non-TLS writes or other S3 actions. It also relies on default encryption rather than explicitly enforcing encrypted uploads through policy conditions.
Allow only IAM principals from your account to access the bucket and require clients to configure HTTPS in their applications.
Restricting principals does not enforce TLS or encryption at rest. Requiring application-side configuration does not satisfy the requirement for bucket-level enforcement.
Common exam trap
NAT is not only about the public address. The inside/outside interface roles and the ACL or rule that matches traffic are just as important.
Technical deep dive
NAT questions usually test address translation, overload/PAT behaviour, static mappings and whether the right traffic is being translated. Read the interface direction and address terms carefully.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise SAA-C03 questions linked to SAA-C03 VPC.
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
Static NAT maps one inside address to one outside address.
The correct answer is: Add a Deny statement for all S3 actions on the bucket and its objects when aws:SecureTransport is false, and add a Deny statement for s3:PutObject when the request does not specify server-side encryption with AES256 (s3:x-amz-server-side-encryption = "AES256"). — A bucket policy can enforce both requirements with explicit Deny statements. One Deny should block any S3 request when aws:SecureTransport is false, which enforces HTTPS. A second Deny should block s3:PutObject unless the request includes the server-side encryption header for AES256, which enforces encryption at rest for uploaded objects. This is enforced centrally and does not depend on client code. Why others are wrong: B is incorrect because website redirects do not enforce HTTPS for all S3 access paths, and default encryption does not reject unencrypted upload requests. C is incorrect because it protects only reads, not all S3 traffic, and does not enforce encrypted uploads as strictly as a request-condition Deny. D is incorrect because principal restrictions and application guidance do not enforce transport security or encryption at the bucket policy layer.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.