AWS SAA-C03 #36

A company is building an application in the AWS Cloud. The application will store data in Amazon S3 buckets in two AWS Regions. The company must use an AWS Key Management Service (AWS KMS) customer managed key to encrypt all data that is stored in the S3 buckets. The data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions.

Which solution will meet these requirements with the LEAST operational overhead?

A. Create an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.

B. Create a customer managed multi-Region KMS key. Create an S3 bucket in each Region. Configure replication between the S3 buckets. Configure the application to use the KMS key with client-side encryption.

C. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.

D. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with AWS KMS keys (SSE-KMS). Configure replication between the S3 buckets.


The solution that meets the requirements with the LEAST operational overhead is:

B. Create a customer managed multi-Region KMS key. Create an S3 bucket in each Region. Configure replication between the S3 buckets. Configure the application to use the KMS key with client-side encryption.

Here's why:

  1. Customer Managed Multi-Region KMS Key: This option uses a single customer managed KMS key that is designed to work across multiple AWS Regions. This means you don't have to manage separate keys for each Region, reducing operational overhead.

  2. S3 Buckets in Each Region: It creates an S3 bucket in each Region, which is necessary for storing data in two AWS Regions.

  3. Replication: It configures replication between the S3 buckets. This ensures that data is synchronized across the two Regions, which is a requirement in this scenario.

  4. Client-Side Encryption with KMS Key: The application is configured to use the KMS key with client-side encryption. This means the application handles the encryption and decryption process using the specified KMS key.

Option A is not suitable because it uses Amazon S3 managed encryption keys (SSE-S3) which means AWS handles the encryption, but you require customer managed keys for your specific needs.

Option C is similar to Option A, using SSE-S3, and doesn't involve customer managed keys, which is a requirement in this scenario.

Option D uses SSE-KMS, which would require managing separate KMS keys in each Region, increasing operational overhead.

Therefore, option B is the most suitable and least operationally intensive solution for this scenario.

相关推荐
沈艺强25 分钟前
云计算答案
云计算
Thanks_ks3 小时前
探索计算机互联网的奇妙世界:从基础到前沿的无尽之旅
物联网·云计算·区块链·tcp/ip协议·计算机互联网·万维网·未来科技
IT技术分享社区3 小时前
C#实战:使用腾讯云识别服务轻松提取火车票信息
开发语言·c#·云计算·腾讯云·共识算法
九河云10 小时前
AWS账号注册费用详解:新用户是否需要付费?
服务器·云计算·aws
神一样的老师10 小时前
利用亚马逊AWS IoT核心和MQTT进行数据采集的综合指南
云计算·aws
昔我往昔16 小时前
阿里云文本内容安全处理
安全·阿里云·云计算
写代码的学渣19 小时前
Linux云计算个人学习总结(一)
linux·运维·云计算
林农21 小时前
C02S11-Linux系统的安全与控制
linux·云计算
danns8881 天前
什么是 AWS PrivateLink
云计算·aws