Exam AWS Certified Developer Associate topic 1 question 61 discussion

Should be A, since configuration should be minimal

A) Correct - SSE-S3 is the simplest encryption mechanism for encrypting files at rest in S3. S3 provides a feature called Cross-Region Replication (CRR) that automatically replicates objects from one bucket to another in a different AWS Region

A seems more apt to me keeping in mind S3 objects are by default encrypted and the question has asked for LEAST amount of configuration

This seems like it might be an old question - as of earlier this year, S3 buckets are ALWAYS encrypted, and you can not turn this off. https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html

It's definitely A. B seems to be correct but there is no way to encrypt using CMK if we can use directly SSE-S3 at rest encryption by default

I think both A and B will do, but A has the LEAST amount of configuration

A The question is about LEAST amount of configuration. Creating a CMK would add a additional task.

B. Encrypt the files by using server-side encryption (SSE) with an AWS Key Management Service (AWS KMS) customer master key (CMK). Enable S3 bucket replication. By using server-side encryption with an AWS KMS customer master key (CMK) to encrypt the files in the S3 bucket, the developer can easily enable S3 bucket replication to replicate the encrypted files to an S3 bucket in a different AWS Region for disaster recovery. SSE with AWS KMS CMK provides an extra layer of security by ensuring that the files are encrypted with a key that the developer has control over. This method also requires the least amount of configuration because it involves only configuring server-side encryption and S3 bucket replication.

It should be A. By default, Amazon S3 doesn't replicate objects that are stored at rest using server-side encryption with customer managed keys stored in AWS KMS. Additional configuration is needed to direct Amazon S3 to replicate these objects.

Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. With cross-region replication, every object uploaded to an S3 bucket is automatically replicated to a destination bucket in a different AWS region that you choose.

SSE-KMS requires extra config

A is correct

i choose A bcos keyword is Least amount of config

By default, Amazon S3 doesn't replicate objects that are stored at rest using server-side encryption with customer managed keys stored in AWS KMS.

A. At first I thought it should be "B" due to similar approach with EBS volumes, but after reading the link https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html Important Objects created with server-side encryption using customer-provided (SSE-C) encryption keys are not replicated. looks like the answer is A

It is A. keyword ===> Minimal Configuration

I don't know why people vote for A, this guide does not mention S3 managed key at all, only KMS for replication https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-4.html