Q24 — AWS SAP-C02 Ch.3
Question 24 of 75 | ← Chapter 3
Q249. A company is migrating an application to AWS. It wants to use fully managed services as much as possible during the migration. The company needs to store large, important documents within the application with the following requirements: - The data must be highly durable and available. - The data must always be encrypted at rest and in transit. - The encryption key must be managed by the company and rotated periodically. Which of the following solutions should the Solutions Architect recommend?
- A. Deploy the storage gateway to AWS in file gateway mode. Use Amazon EBS volume encryption using an AWS KMS key to encrypt the storage gateway volumes.
- B. Use Amazon S3 with a bucket policy to enforce HTTPS for connections to the bucket and to enforce server-side encryption and AWS KMS for object encryption. ✓
- C. Use Amazon DynamoDB with SSL to connect to DynamoDB. Use an AWS KMS key to encrypt DynamoDB objects at rest.
- D. Deploy instances with Amazon EBS volumes attached to store this data. Use EBS volume encryption using an AWS KMS key to encrypt the data.
Correct Answer: B. Use Amazon S3 with a bucket policy to enforce HTTPS for connections to the bucket and to enforce server-side encryption and AWS KMS for object encryption.
Explanation
o store large, important documents in an application that is being migrated to AWS, with the requirements of high durability and availability, always encrypted data at rest and in transit, and the ability to manage and periodically rotate encryption keys, a solution architect should recommend using Amazon S3 with server- side encryption and AWS KMS. Therefore, option B is the correct solution. Amazon S3 provides highly durable and available object storage, and server-side encryption can be enabled to encrypt the objects at rest. AWS KMS can be used to manage encryption keys and rotate them periodically. Additionally, a bucket policy can be configured to enforce HTTPS connections and server-side encryption with AWS KMS for all object uploads. Option A suggests deploying the storage gateway to AWS in file gateway mode, which may not provide the same level of durability and availability as Amazon S3, and EBS volume encryption may not provide the same level of security as AWS KMS. Option C suggests using DynamoDB with SSL to connect to DynamoDB and encrypting DynamoDB objects at rest with AWS KMS, but this approach may not be suitable for storing large documents as DynamoDB has a limit on the size of items it can store. Option D suggests deploying instances with Amazon EBS volumes attached to store the data and using EBS volume encryption with AWS KMS, but this approach may not be cost-effective or scalable compared to using Amazon S3. A.File gateway link to S3, need to encrypt S3 as well D.You may not be able to rotate the key