Q90 — AWS DOP-C02 Ch.2

Question 90 of 100 | ← Chapter 2

A company is building a solution to store files containing personally identifiable information (PII) on AWS. Requirements include: • Data must be encrypted at rest and in transit. • Data must be replicated to at least two geographically separated locations, each at least 500 miles (805 km) apart.

Correct Answer: B. Create primary and secondary Amazon S3 buckets in two separate AWS Regions located at least 500 miles (805 km) apart. Use bucket policies to enforce HTTPS-only access. Enforce S3-managed keys (SSE-S3) on all objects uploaded to the buckets. Configure cross-region replication between the two buckets.

Explanation

Option B satisfies all requirements. First, it deploys primary and secondary Amazon S3 buckets in two separate AWS Regions at least 500 miles (805 km) apart, meeting the geographic separation requirement. Second, bucket policies enforcing HTTPS-only access ensure encryption in transit. Third, enforcing S3-managed keys (SSE-S3) ensures encryption at rest. Cross-region replication provides durable, asynchronous replication across regions. Options A and D incorrectly use Availability Zones — which are within a single Region and do not satisfy the 500-mile distance requirement. Option C incorrectly uses IAM roles to enforce HTTPS access; bucket policies are the appropriate and standard mechanism for this enforcement.