Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 952 discussion

A wins because it gives us encryption with AWS KMS multi-Region keys

A - A new bucket + KMS multi-Region keys = Too much operational oversight. B - RDS is not a serverless solution C - By using the existing S3 bucket, you eliminate the need to create a new bucket and load data into it. D - Athena supports querying using SQL, so that rules out RDS.

I would go on option A. Concidering this article: https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html If we just activate the replication on the existing bucket, the unencrypted data will by replicate unencrypted. If there was an option for creating a new bucket with crr, sse-s3 AND Athena I would have chosen this one. But the nearest solution is Wright en with rds instead of Athena. So go for A

A is correct. everyone. voting for c i think isnt paying attention to the part where you need the data replicated to a different region. how are you meant to replicate it without a new bucket? everyone saying use the existing bucket.... urm what? how can you replicate into the same bucket thats in the same region and expect it to be in a different region? clearly A.

we don't need to create a policy specifically for Amazon S3-managed keys (SSE-S3) to encrypt objects in your S3 bucket... should be more easy and LEAST operational overhead

The default encryption for S3 is SSE-S3, and cross-region replication can be enabled normally.

Amazon S3 managed keys is region specific, for CRR, we must use KMS mult-region keys. https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html

It’s not require highly sensitive data or complexity gain permission. So it should use sse-s3 is suitable

The correct answer is C. Explanation: Option A: Incorrect. Although using AWS KMS multi-Region keys (SSE-KMS) and Amazon Athena to query the data meet the security and SQL querying requirements, creating a new S3 bucket and handling data migration increases operational overhead unnecessarily if the data already exists. Option C: Correct. Configuring Cross-Region Replication (CRR) on the existing S3 bucket makes efficient use of existing infrastructure and leverages server-side encryption with Amazon S3 managed keys (SSE-S3) to ensure data encryption at rest with lower operational complexity and costs compared to using KMS keys. Using Amazon Athena allows querying the data directly in S3, offering serverless and flexible SQL querying capabilities with minimal setup and operational overhead.

I will chose Option C for the following reasons: #1: Least operational overhead: Choosing "SSE-S3" over "SSE-KMS" minimizes operational overhead as it automatically manages encryption keys within S3, eliminating the need for additional KMS key management. #2: Existing S3 bucket: Reusing the existing bucket avoids the extra step of creating a new one and migrating data. #3: Athena for querying: Athena is a serverless solution ideal for querying large datasets stored in S3, aligning with the requirement for a serverless architecture.

A is correct

Answer is A

C is correct because it needs to replicate to different AWS region