Restatement
The requirement is:
Update the bucket policy so that any
PutObjectrequest will be denied unless it includes thex-amz-server-side-encryptionheader.
This is AWS S3 bucket policy enforcement to require server-side encryption for all objects uploaded.
Why this is needed
- By default, anyone with permission to upload to a bucket can upload data without encryption.
- Security best practice often requires all objects to be encrypted.
- Enforcing via a bucket policy prevents users from bypassing encryption requirements.
How it works
When you upload an object to S3 (PutObject), you can include headers that control encryption, such as:
x-amz-server-side-encryption: AES256
or
x-amz-server-side-encryption: aws:kms
A bucket policy can check for this header and deny the upload if it’s missing.
Example Bucket Policy
Here’s a sample policy that enforces server-side encryption:
{
"Version": "2012-10-17",
"Id": "EnforceSSE",
"Statement": [
{
"Sid": "DenyUnencryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket-name/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
]
}
Breaking this policy down
| Field | Meaning |
|---|---|
"Effect": "Deny" |
Denies the action if the condition matches |
"Principal": "*" |
Applies to all users |
"Action": "s3:PutObject" |
Applies to object uploads |
"Resource": "arn:aws:s3:::my-bucket-name/*" |
Applies to all objects in the bucket |
"Condition" |
Specifies the requirement |
"StringNotEquals" |
Deny if the header does not equal "AES256"
|
"s3:x-amz-server-side-encryption" |
The encryption header |
Example in Practice
Allowed request
PUT /my-object HTTP/1.1
Host: my-bucket-name.s3.amazonaws.com
x-amz-server-side-encryption: AES256
✅ Allowed — encryption header is present.
Denied request
PUT /my-object HTTP/1.1
Host: my-bucket-name.s3.amazonaws.com
❌ Denied — encryption header missing.
Key points for exams
- The Condition key
s3:x-amz-server-side-encryptionenforces encryption headers. - Bucket policies are evaluated before IAM policies — so this is a powerful enforcement tool.
- This is often asked in SAA exam scenarios where compliance and security policies are involved.
Top comments (0)