A private bank is using an Amazon S3 bucket to save all transaction documents. During the annual Audit, it was found that some documents uploaded by users are unencrypted which is against security guidelines. Security Head has asked you to make necessary changes in the Amazon S3 bucket to ensure that no object should be stored in a bucket without SSE: KMS encryption enabled. Which of the following will meet this requirement?

Answer options:

A.Create an S3 bucket policy that will deny an object upload request without header " s3:x-amz-server-side-encryption-context" for server-side encryption with SSE-KMS.
B.Create an S3 bucket policy that will deny an object upload request without header "s3:x-amz-server-side-encryption" for server-side encryption with SSE-KMS.
C.Create an S3 ACL that will deny an object upload request without header "s3:x-and-server-side-encryption" for server-side encryption with SSE-KMS.
D.Create an S3 ACL that will deny an object upload request without header " s3:x-amz-server-side-encryption-context" for server-side encryption with SSE-KMS.

Correct Answer – B
When an object is uploaded to the Amazon S3 bucket, a header “x-amz-server-side-encryption” requesting aws:kms encryption is added to that object. To deny any user to upload unencrypted objects to the S3 bucket, a bucket policy can be created to check the header & deny user permission from uploading if the header is not present.
Option A is incorrect as header matching must be done on "s3:x-amz-server-side-encryption" & not based upon " s3:x-amz-server-side-encryption-context" which specifies encryption context for the object.
Options C& D are incorrect as Using S3 ACL is not a feasible option.
For more information on encryption on the Amazon S3 bucket, refer to the following URL-
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html