AdministratorJanuary 23, 2024 at 6:09 pm
Thanks for your feedback.
I understand your concern.
There are various methods for using the x-amz-server-side-encryption-aws-kms-key-id in a condition within a bucket policy. One way is to place it under a Null condition and set the value of x-amz-server-side-encryption-aws-kms-key-id to true. By doing this, if no specific KMS ID is provided in the request, S3 will deny the request. Another method is to use a String match condition which will allow you to enforce the usage of a particular KMS key. In this question, the option “Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header.” is meant to refer to the second method, hence why it’s considered wrong since what the scenario is simply asking the enforcement of SSE-KMS, regardless of KMS keys used.
We acknowledge that the context in which the x-amz-server-side-encryption-aws-kms-key-id header is not clearly defined. To prevent any confusion, we will update and clarify this item accordingly.
Let me know if you need any further clarifications.
Carlo @ Tutorials Dojo