Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 36 discussion

KMS Multi-region keys are required https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html

Cannot be A - question says customer managed key Cannot B - client side encryption is operational overhead Cannot C -as it says SSE-S3 instead of customer managed so the answer is D though it required one time setup of keys

D says "Create a customer managed KMS key and an S3 bucket in each Region." If there are keys created in both regions, then the keys are not the same. If it said create a multi region key and synch it, then I would pick D.

I was confused which to choose, B or D, but someone in discussion mentioned really important point, D suggests creating two keys and two regions, which they can't be the same Key, so D of course is not the correct answer.

Given the requirements to encrypt and decrypt data stored in S3 buckets in two AWS Regions using the same KMS key with minimal operational overhead, server-side encryption with AWS KMS (SSE-KMS) is the most suitable solution. It provides simplicity, seamless integration, centralized key management, and optimal performance. Therefore: Option D: Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with AWS KMS keys (SSE-KMS). Configure replication between the S3 buckets.

I think this question would be invalidated in an actual test. Both B and D has problems. B uses client-side encryption, wich adds complexity to the operation. Additionally, KMS by default uses server side encryption, SSE-KMS. But the option D also has a imprecision, because you are creating two KMS keys instead of just one with multi-region

Key Reason: Separate KMS Keys in Each Region In Option D, you are creating a separate AWS KMS key in each Region, meaning the encryption keys are distinct. When replicating data between Regions, AWS does not allow direct decryption of objects encrypted with an SSE-KMS key in one Region using a different KMS key in another Region. KMS keys are tied to a specific Region unless you use a Multi-Region key. Because of this, the replicated objects cannot be automatically decrypted in the destination Region without additional configuration, increasing operational overhead. Why Option B is Better Option B uses a Multi-Region KMS Key that allows encryption and decryption with the same key across both Regions. Less operational complexity, as the application does not have to handle different keys in each Region. Seamless replication and decryption of data across Regions.

B: client side encryption is not correct

he data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions --> Single Key for both region. So multi region key will be the answer

Correct Ans: D Option B is not the best solution because it involves client-side encryption, which adds unnecessary complexity and operational overhead. Here's why: Client-side encryption means that the application itself must handle the encryption and decryption of data before it is uploaded to S3 and after it is downloaded. This requires additional development work, key management, and the management of encryption and decryption logic in the application. In contrast, SSE-KMS (option D) allows Amazon S3 to manage the encryption and decryption process automatically on the server side, which reduces operational overhead and simplifies the implementation.

B and D are in short list (using customer managed key and KMS) but B requires that each client encrypts the data before sending it, wheras the D is totally transparent so with "LEAST overhead"

For me the answer is D. It could also be the B-answer, but whet it asks "Configure the application ", it sounds like the "operational overhead", so it's eliminatory for me

=======> D

Difference between B and D is server side encryption

Mentioning of the "multi-Region KMS key" https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html

It's B, it has to use the same key in both regions.

Multi-Region KMS keys supports client-side encryption https://aws.amazon.com/about-aws/whats-new/2021/06/kms-multi-region-keys/