AWS SAA-C03 #36

A company is building an application in the AWS Cloud. The application will store data in Amazon S3 buckets in two AWS Regions. The company must use an AWS Key Management Service (AWS KMS) customer managed key to encrypt all data that is stored in the S3 buckets. The data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions.

Which solution will meet these requirements with the LEAST operational overhead?

A. Create an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.

B. Create a customer managed multi-Region KMS key. Create an S3 bucket in each Region. Configure replication between the S3 buckets. Configure the application to use the KMS key with client-side encryption.

C. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.

D. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with AWS KMS keys (SSE-KMS). Configure replication between the S3 buckets.


The solution that meets the requirements with the LEAST operational overhead is:

B. Create a customer managed multi-Region KMS key. Create an S3 bucket in each Region. Configure replication between the S3 buckets. Configure the application to use the KMS key with client-side encryption.

Here's why:

  1. Customer Managed Multi-Region KMS Key: This option uses a single customer managed KMS key that is designed to work across multiple AWS Regions. This means you don't have to manage separate keys for each Region, reducing operational overhead.

  2. S3 Buckets in Each Region: It creates an S3 bucket in each Region, which is necessary for storing data in two AWS Regions.

  3. Replication: It configures replication between the S3 buckets. This ensures that data is synchronized across the two Regions, which is a requirement in this scenario.

  4. Client-Side Encryption with KMS Key: The application is configured to use the KMS key with client-side encryption. This means the application handles the encryption and decryption process using the specified KMS key.

Option A is not suitable because it uses Amazon S3 managed encryption keys (SSE-S3) which means AWS handles the encryption, but you require customer managed keys for your specific needs.

Option C is similar to Option A, using SSE-S3, and doesn't involve customer managed keys, which is a requirement in this scenario.

Option D uses SSE-KMS, which would require managing separate KMS keys in each Region, increasing operational overhead.

Therefore, option B is the most suitable and least operationally intensive solution for this scenario.

相关推荐
嚯——哈哈1 小时前
筑起数字堡垒:解析AWS高防盾(Shield)的全面防护能力
服务器·微服务·云计算·aws
humors2211 小时前
阿里云ECS服务器监控报警配置
运维·服务器·安全·阿里云·云计算
valkyrja1101 小时前
aws 小白入门,VPC 子网、路由表、互联网网关
aws·入门·vpc·路由表·子网·互联网网关
bluetata5 小时前
【云计算网络安全】解析 Amazon 安全服务:构建纵深防御设计最佳实践
安全·web安全·云计算·aws·亚马逊云科技
学Linux的语莫12 小时前
Ansible使用简介和基础使用
linux·运维·服务器·nginx·云计算·ansible
运维&陈同学17 小时前
【zookeeper03】消息队列与微服务之zookeeper集群部署
linux·微服务·zookeeper·云原生·消息队列·云计算·java-zookeeper
云计算DevOps-韩老师18 小时前
【网络云计算】2024第47周-每日【2024/11/21】周考-实操题-RAID6实操解析2
网络·云计算
dessler20 小时前
云计算&虚拟化-kvm-扩缩容cpu
linux·运维·云计算
学Linux的语莫20 小时前
Ansible Playbook剧本用法
linux·服务器·云计算·ansible
cloud studio AI应用1 天前
腾讯云 AI 代码助手:产品研发过程的思考和方法论
人工智能·云计算·腾讯云