exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 36 discussion

A company is building an application in the AWS Cloud. The application will store data in Amazon S3 buckets in two AWS Regions. The company must use an AWS Key Management Service (AWS KMS) customer managed key to encrypt all data that is stored in the S3 buckets. The data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions.
Which solution will meet these requirements with the LEAST operational overhead?

  • A. Create an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.
  • B. Create a customer managed multi-Region KMS key. Create an S3 bucket in each Region. Configure replication between the S3 buckets. Configure the application to use the KMS key with client-side encryption.
  • C. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.
  • D. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with AWS KMS keys (SSE-KMS). Configure replication between the S3 buckets.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
pooppants
Highly Voted 2 years, 5 months ago
Selected Answer: B
KMS Multi-region keys are required https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
upvoted 70 times
hypnozz
1 year, 9 months ago
The answer is C, because "Server-side encryption with Amazon S3 managed keys (SSE-S3) is the base level of encryption configuration for every bucket in Amazon S3. If you want to use a different type of default encryption, you can also specify server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) or customer-provided keys (SSE-C)" By using SSE-KMS, you can encrypt the data stored in the S3 buckets with a customer managed KMS key. This ensures that the data is protected and allows you to have control over the encryption key. By creating an S3 bucket in each Region and configuring replication between them, you can have data and key redundancy in both Regions.
upvoted 5 times
Clouddon
1 year, 7 months ago
Option B, AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. Each set of related multi-Region keys has the same key material and key ID, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS. You can use multi-Region keys with client-side encryption libraries, such as the AWS Encryption SDK, the DynamoDB Encryption Client, and Amazon S3 client-side encryption. For an example of using multi-Region keys with Amazon DynamoDB global tables and the DynamoDB Encryption Client, see Encrypt global data client-side with AWS KMS multi-Region keys in the AWS Security Blog. https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
upvoted 6 times
...
aatikah
3 months ago
Does NOT meet the requirement of using a customer managed KMS key
upvoted 1 times
...
...
magazz
2 years, 3 months ago
Amazon S3 cross-region replication decrypts and re-encrypts data under a KMS key in the destination Region, even when replicating objects protected by a multi-Region key. So stating that Amazon S3 cross-region replication decrypts and re-encrypts data under a KMS key in the destination Region, even when replicating objects protected by a multi-Region key is required is incorrect
upvoted 5 times
thanhvx1
1 year, 11 months ago
Option B involves configuring the application to use client-side encryption, which can increase the operational overhead of managing and securing the keys.
upvoted 2 times
...
TuLe
2 years, 3 months ago
@magazz: it's not true then. Based on the document from AWS https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html , we will need to setup the replication rule with destination KMS. In order to have the key available in more than 2, then multi-region key should be required. But I'm still not favor option B - we can use server-side when why wasting effort to do client side encryption.
upvoted 2 times
TuLe
2 years, 3 months ago
I would say it's true... Not sure the previous one say "not true" :D.
upvoted 1 times
JayBee65
2 years, 3 months ago
It's not clear what you are saying. Are you saying that B is correct or D is correct?
upvoted 2 times
karbob
2 years, 2 months ago
:D => is smile i thought
upvoted 2 times
...
...
...
...
...
Edwars
9 months, 2 weeks ago
I'd say D because multi-region keys can be used with server side encryption as well. "Multi-Region keys are supported in the AWS KMS console, the AWS KMS API, the AWS Encryption SDK, Amazon DynamoDB Encryption Client, and Amazon S3 Encryption Client. AWS services also let you configure multi-Region keys for server-side encryption in case you want the same key to protect data that needs both server-side and client-side encryption." https://aws.amazon.com/blogs/security/encrypt-global-data-client-side-with-aws-kms-multi-region-keys/
upvoted 3 times
...
Instantqueue
1 year, 5 months ago
It’s not correct because the question asks for server side encryption, not client side (before the objects reach the bucket).
upvoted 8 times
babayomi
6 months, 1 week ago
Note, The question did not ask for server side encryption, It stated Customer manages encryption. So reason why Customer side encryption makes the solution much easier and applicable. Hence B as an answer
upvoted 1 times
...
kelmryan1
10 months, 2 weeks ago
It says encrypt all data and the data originates from the application. Making it B
upvoted 1 times
...
...
...
KJa
Highly Voted 2 years, 5 months ago
Selected Answer: D
Cannot be A - question says customer managed key Cannot B - client side encryption is operational overhead Cannot C -as it says SSE-S3 instead of customer managed so the answer is D though it required one time setup of keys
upvoted 68 times
th3cookie
2 years, 4 months ago
How does client side encryption increase OPERATIONAL overhead? Do you think every connected client is sitting there with gpg cli, decrypting/encrypting every packet that comes in/out? No, it's done via SDK -> https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html The correct answer is B because that's the only way to actually get the same key across multiple regions with minimal operational overhead
upvoted 14 times
kakka22
1 year, 11 months ago
"The data in both S3 buckets must be encrypted and decrypted with the same KMS key" Client side encryption means that key is generated in from the cient without storing that in the KMS...
upvoted 7 times
...
...
mattlai
2 years, 5 months ago
fun joke, if u dont do encryption on client side, where else could it be?
upvoted 1 times
Newptone
2 years, 4 months ago
It could be server side. For client side, the application need to finish the encryption and decryption by itself. So S3 object encryption on the server side is less operational overhead. https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html But for option B, the major issue is if you create KMS keys in 2 regions, they can not be the same.
upvoted 7 times
Newptone
2 years, 4 months ago
Sorry for the typo, I mean option D.
upvoted 2 times
...
...
...
Clouddon
1 year, 7 months ago
Kindly point at where server-side encryption support multi-region. It is only mention on the aws blog that client-side support multi-region.
upvoted 2 times
...
BoboChow
2 years, 5 months ago
The data in both S3 buckets must be encrypted and decrypted with the same KMS key. AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. "as though" means it's different. So I agree with B
upvoted 15 times
BoboChow
2 years, 5 months ago
key change across regions unless you use multi-Region keys
upvoted 2 times
...
pentium75
1 year, 2 months ago
B includes replicating the data in the S3 buckets, which is not mentioned anywhere in the stem. It says that you need to store data in two buckets, not that you need to replicate content between buckets.
upvoted 1 times
Drew3000
1 year ago
All the choices involve replication between the buckets.
upvoted 1 times
...
...
...
...
SleeplessHossam
Most Recent 2 days, 12 hours ago
Selected Answer: B
I was confused which to choose, B or D, but someone in discussion mentioned really important point, D suggests creating two keys and two regions, which they can't be the same Key, so D of course is not the correct answer.
upvoted 1 times
...
Anastesas
2 weeks, 6 days ago
Selected Answer: D
Given the requirements to encrypt and decrypt data stored in S3 buckets in two AWS Regions using the same KMS key with minimal operational overhead, server-side encryption with AWS KMS (SSE-KMS) is the most suitable solution. It provides simplicity, seamless integration, centralized key management, and optimal performance. Therefore: Option D: Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with AWS KMS keys (SSE-KMS). Configure replication between the S3 buckets.
upvoted 1 times
...
iwantcertificates
3 weeks ago
Selected Answer: D
I think this question would be invalidated in an actual test. Both B and D has problems. B uses client-side encryption, wich adds complexity to the operation. Additionally, KMS by default uses server side encryption, SSE-KMS. But the option D also has a imprecision, because you are creating two KMS keys instead of just one with multi-region
upvoted 1 times
...
sammo08
3 weeks, 5 days ago
Selected Answer: B
Key Reason: Separate KMS Keys in Each Region In Option D, you are creating a separate AWS KMS key in each Region, meaning the encryption keys are distinct. When replicating data between Regions, AWS does not allow direct decryption of objects encrypted with an SSE-KMS key in one Region using a different KMS key in another Region. KMS keys are tied to a specific Region unless you use a Multi-Region key. Because of this, the replicated objects cannot be automatically decrypted in the destination Region without additional configuration, increasing operational overhead. Why Option B is Better Option B uses a Multi-Region KMS Key that allows encryption and decryption with the same key across both Regions. Less operational complexity, as the application does not have to handle different keys in each Region. Seamless replication and decryption of data across Regions.
upvoted 1 times
...
Clpsz
1 month, 1 week ago
Selected Answer: D
B: client side encryption is not correct
upvoted 1 times
...
AshishDhole
1 month, 1 week ago
Selected Answer: B
he data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions --> Single Key for both region. So multi region key will be the answer
upvoted 1 times
...
Krenil
1 month, 1 week ago
Selected Answer: D
Correct Ans: D Option B is not the best solution because it involves client-side encryption, which adds unnecessary complexity and operational overhead. Here's why: Client-side encryption means that the application itself must handle the encryption and decryption of data before it is uploaded to S3 and after it is downloaded. This requires additional development work, key management, and the management of encryption and decryption logic in the application. In contrast, SSE-KMS (option D) allows Amazon S3 to manage the encryption and decryption process automatically on the server side, which reduces operational overhead and simplifies the implementation.
upvoted 1 times
...
Tika57
1 month, 2 weeks ago
Selected Answer: D
B and D are in short list (using customer managed key and KMS) but B requires that each client encrypts the data before sending it, wheras the D is totally transparent so with "LEAST overhead"
upvoted 1 times
...
dariar
1 month, 3 weeks ago
Selected Answer: D
For me the answer is D. It could also be the B-answer, but whet it asks "Configure the application ", it sounds like the "operational overhead", so it's eliminatory for me
upvoted 1 times
...
AtiiF
1 month, 3 weeks ago
Selected Answer: D
=======> D
upvoted 1 times
...
V2910
1 month, 3 weeks ago
Selected Answer: D
Difference between B and D is server side encryption
upvoted 1 times
...
CloudExpert01
1 month, 4 weeks ago
Selected Answer: B
Mentioning of the "multi-Region KMS key" https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
upvoted 1 times
...
aefuen1
2 months, 4 weeks ago
Selected Answer: B
It's B, it has to use the same key in both regions.
upvoted 2 times
...
pg6058
3 months ago
Selected Answer: B
Multi-Region KMS keys supports client-side encryption https://aws.amazon.com/about-aws/whats-new/2021/06/kms-multi-region-keys/
upvoted 1 times
...
Upchar
3 months ago
Selected Answer: D
Option D is the most appropriate solution because: -It uses SSE-KMS with a customer managed KMS key, which satisfies the encryption requirement. -It supports cross-region replication with minimal operational overhead. -It meets the company's needs of using the same key across both regions without introducing extra complexity.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago