A company uses AWS Organizations and has many AWS accounts. The company has a new requirement to use server-side encryption with customer-provided keys (SSE-C) on all new object uploads to Amazon S3 buckets.
A security engineer is creating an SCP that includes a Deny effect for the s3:PutObject action.
Which condition must the security engineer add to the SCP to enforce the new SSE-C requirement?
To enforce the use of server-side encryption with customer-provided keys (SSE-C) on all new object uploads to Amazon S3 buckets, the condition must ensure that the s3:x-amz-server-side-encryption-customer-algorithm header is present. The correct condition to enforce this requirement is a Null check on the s3:x-amz-server-side-encryption-customer-algorithm key, ensuring it is not null. This condition verifies that the required header for SSE-C is included in the request, thus enforcing the use of SSE-C.
A - Correct Answer https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html#ssec-require-condition-key
https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
A is correct
Condition: The condition specifies that the s3:x-amz-server-side-encryption-customer-algorithm key must not be null (Null: "true"). If this key is absent, the condition evaluates to true, and the Deny effect is applied.