Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Developer Associate S3 encryption Reply To: S3 encryption

  • Carlo-TutorialsDojo

    Member
    January 23, 2024 at 6:09 pm

    Thanks for your feedback.

    I understand your concern.

    There are various methods for using the x-amz-server-side-encryption-aws-kms-key-id in a condition within a bucket policy. One way is to place it under a Null condition and set the value of x-amz-server-side-encryption-aws-kms-key-id to true. By doing this, if no specific KMS ID is provided in the request, S3 will deny the request. Another method is to use a String match condition which will allow you to enforce the usage of a particular KMS key. In this question, the option “Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header.” is meant to refer to the second method, hence why it’s considered wrong since what the scenario is simply asking the enforcement of SSE-KMS, regardless of KMS keys used.

    We acknowledge that the context in which the x-amz-server-side-encryption-aws-kms-key-id header is not clearly defined. To prevent any confusion, we will update and clarify this item accordingly.

    Let me know if you need any further clarifications.

    Regards,

    Carlo @ Tutorials Dojo