Q45 — AWS SAP-C02 Ch.1

Question 45 of 75 | ← Chapter 1

Q120. A company consists of two separate business units. Each business unit has its own AWS account within a single organization in AWS Organizations. The business units regularly share sensitive documents with each other. To facilitate sharing, the company created an Amazon S3 bucket in each account and configured two-way replication between the S3 buckets. The S3 buckets have millions of objects Recently, a security audit identified that neither S3 bucket has encryption at rest enabled. Company policy requires that all documents must be stored with encryption at rest. The company wants to implement server-side encryption with Amazon S3 managed encryption keys (SSE-S3) What is the MOST operationally efficient solution that meets these requirements'

Correct Answer: A. Turn on SSE-S3 on both S3 buckets.Use S3 Batch Operations to copy and encrypt the objects in the same location

Explanation

Option A is the most operationally efficient solution for enabling server-side encryption with SSE-S3 for the existing objects in the S3 buckets. By turning on SSE-S3 on both S3 buckets, you ensure that all new objects uploaded to the buckets are encrypted at rest with S3 managed encryption keys. Then, you can use S3 Batch Operations to copy and encrypt the existing objects in the same location. S3 Batch Operations allows you to perform actions on a large number of objects in parallel, reducing the operational overhead of encrypting millions of objects individually. Option B suggests using AWS Key Management Service (AWS KMS) keys (SSE-KMS) and encrypting the existing objects by using an S3 copy command in the AWS CLI. While this approach provides encryption at rest, it involves additional steps and complexity compared to simply enabling SSE-S3. Option C suggests turning on SSE-S3 on both S3 buckets and encrypting the existing objects by using an S3 copy command in the AWS CLI. This solution is operationally efficient but does not take advantage of the capabilities of S3 Batch Operations, which can significantly reduce the time and effort required for encrypting millions of objects. Option D suggests creating AWS KMS keys in each account and using SSE-KMS on each S3 bucket. It also suggests using S3 Batch Operations to copy the objects into the same location. While this approach can achieve encryption at rest, it introduces unnecessary complexity by involving AWS KMS keys and does not provide any additional benefits compared to Option A. Therefore, the correct solution is A: Turn on SSE-S3 on both S3 buckets and use S3 Batch Operations to copy and encrypt the objects in the same location.