Which of the following bucket policies will ensure that objects being uploaded to a bucket called ‘demo’ are encrypted?

Answer options:

A.{
 "Version":"2012-10-17",
 "Id":"PutObj",
 "Statement":[
{
 "Sid":"DenyUploads",
 "Effect":"Deny",
 "Principal":"*",
 "Action":"s3:PutObject",
 "Resource":"arn:aws:s3:::demo/*",
 "Condition":{
"StringNotEquals":{
 "s3:x-amz-server-side-encryption":"aws:kms"
}
 }
}
 ]
}
B.{
 "Version":"2012-10-17",
 "Id":"PutObj",
 "Statement":[
{
 "Sid":"DenyUploads",
 "Effect":"Deny",
 "Principal":"*",
 "Action":"s3:PutObject",
 "Resource":"arn:aws:s3:::demo/*",
 "Condition":{
"StringEquals":{
 "s3:x-amz-server-side-encryption":"aws:kms"
}
 }
}
 ]
}
C.{
 "Version":"2012-10-17",
 "Id":"PutObj",
 "Statement":[
{
 "Sid":"DenyUploads",
 "Effect":"Allow",
 "Principal":"*",
 "Action":"s3:PutObject",
 "Resource":"arn:aws:s3:::demo/*",
 "Condition":{
"StringEquals":{
 "s3:x-amz-server-side-encryption":"aws:kms"
}
 }
}
 ]
}
D.{
 "Version":"2012-10-17",
 "Id":"PutObj",
 "Statement":[
{
 "Sid":"DenyUploads",
 "Effect":"Deny",
 "Principal":"*",
 "Action":"s3:PutObjectEncrypted",
 "Resource":"arn:aws:s3:::demo/*"
}
 }
]
}

Answer – A
The condition of"s3:x-amz-server-side-encryption":"aws:kms" ensures that objects uploaded need to be encrypted.
Options B is incorrect because the condition of "s3:x-amz-server-side-encryption":"aws:kms" should be StringNotEquals instead of StringEquals.
Options C is incorrect because an explicit deny should be used instead of an explicit allow.
Options D is incorrect because the condition of "s3:x-amz-server-side-encryption":"aws:kms" should be used.
For more information on AWS KMS best practices, just browse to the below URL:
https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf