AWS SAA-C03 #36

A company is building an application in the AWS Cloud. The application will store data in Amazon S3 buckets in two AWS Regions. The company must use an AWS Key Management Service (AWS KMS) customer managed key to encrypt all data that is stored in the S3 buckets. The data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions.

Which solution will meet these requirements with the LEAST operational overhead?

A. Create an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.

B. Create a customer managed multi-Region KMS key. Create an S3 bucket in each Region. Configure replication between the S3 buckets. Configure the application to use the KMS key with client-side encryption.

C. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.

D. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with AWS KMS keys (SSE-KMS). Configure replication between the S3 buckets.


The solution that meets the requirements with the LEAST operational overhead is:

B. Create a customer managed multi-Region KMS key. Create an S3 bucket in each Region. Configure replication between the S3 buckets. Configure the application to use the KMS key with client-side encryption.

Here's why:

  1. Customer Managed Multi-Region KMS Key: This option uses a single customer managed KMS key that is designed to work across multiple AWS Regions. This means you don't have to manage separate keys for each Region, reducing operational overhead.

  2. S3 Buckets in Each Region: It creates an S3 bucket in each Region, which is necessary for storing data in two AWS Regions.

  3. Replication: It configures replication between the S3 buckets. This ensures that data is synchronized across the two Regions, which is a requirement in this scenario.

  4. Client-Side Encryption with KMS Key: The application is configured to use the KMS key with client-side encryption. This means the application handles the encryption and decryption process using the specified KMS key.

Option A is not suitable because it uses Amazon S3 managed encryption keys (SSE-S3) which means AWS handles the encryption, but you require customer managed keys for your specific needs.

Option C is similar to Option A, using SSE-S3, and doesn't involve customer managed keys, which is a requirement in this scenario.

Option D uses SSE-KMS, which would require managing separate KMS keys in each Region, increasing operational overhead.

Therefore, option B is the most suitable and least operationally intensive solution for this scenario.

相关推荐
胖胖雕1 天前
利用阿里云与docker部署Certimate
阿里云·docker·云计算
AliCloudROS1 天前
一次真实录屏:我只说每月别超过 200 块,小程序后端就搭好了
运维·人工智能·云计算
buligbulig1 天前
如何在云计算中使用虚拟磁盘?
云计算
赛博三把手2 天前
Claude Fable 5 API 调用完整指南:官方、AWS、OpenRouter 与中转平台对比(2026 最新)
网络·云计算·aws
weixin_462901972 天前
从零跑通:阿里云 ECS + 百炼 MaaS 大模型答题卡识别全流程
阿里云·云计算
tiancaijiben2 天前
阿里云ECS云服务器部署Vue打包静态网站:Nginx路由重定向完整配置
云计算
我是伪码农2 天前
页面ai调用(阿里云)
阿里云·云计算
爆落千玄3 天前
从0训练LLM原理解析
阿里云·云计算
淘源码A3 天前
多院区集团化云PACS系统源码,原生兼容国产软硬件环境
java·云计算·源码·saas·pacs·医学影像系统
leijiwen4 天前
Bsin-PaaS(毕昇)——LinkLifeVerse OS 的产业智能工程底座
云原生·云计算·paas