Q42 — AWS SAP-C02 Ch.2
Question 42 of 75 | ← Chapter 2
Q192. A company has millions of objects in an Amazon S3 bucket. The objects are in the S3 Standard storage class. All the S3 objects are accessed frequently. The number of users and applications that access the objects is increasing rapidly. The objects are encrypted with server-side encryption with AWS KMS keys (SSE-KMS). A solutions architect reviews the company's monthly AWS invoice and notices that AWS KMS costs are increasing because of the high number of requests from Amazon S3. The solutions architect needs to optimize costs with minimal changes to the application. Which solution will meet these requirements with the LEAST operational overhead?
- A. Create a new S3 bucket that has server-side encryption with customer-provided keys (SSE-C) as the encryption type. Copy the existing objects to the new S3 bucket Specify SSE-C
- B. Create a new S3 bucket that has server-side encryption with Amazon S3 managed keys(SSE-S3) as the encryption type Use S3 Batch Operations to copy the existing objects to the new S3 bucket Specify SSE-S3 ✓
- C. Use AWS CloudHSM to store the encryption keys. Create a new S3 bucket. Use S3 Batch Operations to copy the existing objects to the new S3 bucket Encrypt the objects by using the keys from CloudHSM
- D. Use the S3 Intelligent-Tiering storage class for the S3 bucket Create an S3 Intelligent-Tiering archive configuration to transition objects that are not accessed for 90 days to S3 Glacier Deep Archive
Correct Answer: B. Create a new S3 bucket that has server-side encryption with Amazon S3 managed keys(SSE-S3) as the encryption type Use S3 Batch Operations to copy the existing objects to the new S3 bucket Specify SSE-S3
Explanation
Option A involves creating a new S3 bucket with SSE-C encryption type and copying all existing objects from the old bucket, which can be time-consuming and disrupt the current applications. Additionally, SSE-C requires managing and rotating encryption keys, which can increase operational overhead. Option C involves using AWS CloudHSM to store encryption keys, which adds significant complexity and cost to the solution. It also requires modifying the application to use CloudHSM to retrieve the encryption keys. Option D involves moving data to a different storage class based on access patterns, rather than addressing the high cost of KMS requests. It may not reduce the cost of KMS requests significantly and may not be appropriate if the objects are frequently accessed. Option B involves creating a new S3 bucket with SSE-S3 encryption type, which does not require managing or rotating encryption keys. This option uses S3 Batch Operations to copy the existing objects to the new bucket, which preserves the current application configuration. Using SSE-S3 instead of SSE-KMS will reduce the cost of KMS requests while maintaining the encryption of S3 objects, and this solution requires the least operational overhead.