AWS Certified SysOps Administrator Practice Exam

How can you enforce server-side encryption with S3 (SSE-S3) for files uploaded to an S3 bucket?

• A. By setting encryption rules at the IAM user level
• B. Using the "Default Encryption" setting in AWS S3
• C. Manually encrypting each file before upload
• D. Applying a bucket policy that enforces encryption

The correct answer is: Using the "Default Encryption" setting in AWS S3

The correct choice highlights the significance of using the "Default Encryption" setting in AWS S3 to enforce server-side encryption with S3 (SSE-S3) for files uploaded to an S3 bucket. When this setting is enabled, any file uploaded to the bucket automatically undergoes encryption using Amazon S3-managed keys (SSE-S3). This eliminates the need for manual encryption before uploads and provides a seamless way to ensure that all objects stored in the bucket benefit from encryption without requiring individual user action. By configuring the default encryption feature, you can maintain consistent security compliance for all data stored in the bucket, protecting it against unauthorized access and safeguarding data in transit and at rest. This approach simplifies management significantly, as it applies encryption settings universally across all uploads by anyone with access to the bucket, thereby reducing the likelihood of human error. Alternatives such as setting encryption rules at the IAM user level or applying a bucket policy could provide some level of control but do not guarantee that all objects uploaded will be encrypted without additional measures. Manually encrypting files before upload also lacks the efficiency and automation provided by the default encryption setting and places the burden on the user to ensure proper encryption is applied.