The correct solution is Configure a bucket policy to require server-side encryption using Amazon S3 managed encryption keys (SSE-S3) for all uploads. By using a bucket policy to enforce encryption, S3 rejects any upload request that does not include the appropriate encryption headers, guaranteeing that data is encrypted at rest immediately upon arrival. This approach is simple, reliable, and does not require changes to client applications. Because all communication with S3 uses HTTPS by default, data is also encrypted in transit.

The option Apply client-side encryption at the source before uploading the data to the S3 buckets technically satisfies encryption in transit and at rest. However, it introduces additional complexity, as the application must handle key management and encryption logic. This also places the responsibility on every data source, which increases the risk of misconfiguration or inconsistent enforcement.

The choice Activate the encryption setting on each S3 bucket using the default AWS KMS key provided by the service may seem valid, but the default AWS-managed KMS key (SSE-KMS with default key) does not enforce encryption unless the client includes the correct headers, unless paired with a bucket policy. Simply enabling encryption in the buckets settings does not block unencrypted uploads.

The response Use server-side encryption on S3 objects after the data has been stored in the bucket is incorrect because encryption must be applied at the time of upload. Post-upload encryption is not a native or recommended flow in S3it contradicts the requirement to encrypt the data before storage, not after.

This question is important because it touches on foundational AWS security best practices: enforcing encryption at rest and in transit for S3 data. A common mistake in these types of questions is to assume that enabling encryption on the bucket is sufficient. However, enforcement requires a bucket policy to prevent unencrypted uploads. A useful trick is to look for the option that enforces compliance at the service level rather than relying on manual or client-side enforcement, which is more error-prone.

The challenge in this question is recognizing the difference between enabling encryption and enforcing encryption. Only a bucket policy guarantees that non-compliant uploads will be rejected, making it the most secure and operationally sound choice.

Full AWS Practitioner Certification Question