Encryption splits by data state: encryption at rest protects data on disk/storage, encryption in transit protects data moving on the network. SCS-C03 specifically asks "which service encrypts how at rest?", "how do you enforce transit encryption?", and "how does key rotation work?" Today we organize these across services.
TLS is the de facto encryption standard for transit. The key distinction: "supporting TLS" differs from "refusing plaintext." Security exams always test enforcement.
aws:SecureTransport: false to block HTTP.