██FR█████ █INTELL███████████

S3 Bucket policy encryption key enforcement


This content originally appeared on DEV Community and was authored by Wakeup Flower

Restatement

The requirement is:

Update the bucket policy so that any PutObject request will be denied unless it includes the x-amz-server-side-encryption header.

This is AWS S3 bucket policy enforcement to require server-side encryption for all objects uploaded.

Why this is needed

  • By default, anyone with permission to upload to a bucket can upload data without encryption.
  • Security best practice often requires all objects to be encrypted.
  • Enforcing via a bucket policy prevents users from bypassing encryption requirements.

How it works

When you upload an object to S3 (PutObject), you can include headers that control encryption, such as:

x-amz-server-side-encryption: AES256

or

x-amz-server-side-encryption: aws:kms

A bucket policy can check for this header and deny the upload if it’s missing.

Example Bucket Policy

Here’s a sample policy that enforces server-side encryption:

{
  "Version": "2012-10-17",
  "Id": "EnforceSSE",
  "Statement": [
    {
      "Sid": "DenyUnencryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket-name/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}

Breaking this policy down

Field Meaning
"Effect": "Deny" Denies the action if the condition matches
"Principal": "*" Applies to all users
"Action": "s3:PutObject" Applies to object uploads
"Resource": "arn:aws:s3:::my-bucket-name/*" Applies to all objects in the bucket
"Condition" Specifies the requirement
"StringNotEquals" Deny if the header does not equal "AES256"
"s3:x-amz-server-side-encryption" The encryption header

Example in Practice

Allowed request 

PUT /my-object HTTP/1.1
Host: my-bucket-name.s3.amazonaws.com
x-amz-server-side-encryption: AES256

✅ Allowed — encryption header is present.

Denied request 

PUT /my-object HTTP/1.1
Host: my-bucket-name.s3.amazonaws.com

❌ Denied — encryption header missing.

Key points for exams

  • The Condition key s3:x-amz-server-side-encryption enforces encryption headers.
  • Bucket policies are evaluated before IAM policies — so this is a powerful enforcement tool.
  • This is often asked in SAA exam scenarios where compliance and security policies are involved.


This content originally appeared on DEV Community and was authored by Wakeup Flower