Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 36 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 36
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company is building an application in the AWS Cloud. The application will store data in Amazon S3 buckets in two AWS Regions. The company must use an AWS Key Management Service (AWS KMS) customer managed key to encrypt all data that is stored in the S3 buckets. The data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions.
Which solution will meet these requirements with the LEAST operational overhead?

  • A. Create an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.
  • B. Create a customer managed multi-Region KMS key. Create an S3 bucket in each Region. Configure replication between the S3 buckets. Configure the application to use the KMS key with client-side encryption.
  • C. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.
  • D. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with AWS KMS keys (SSE-KMS). Configure replication between the S3 buckets.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by CloudGuru99 at Oct. 8, 2022, 5:51 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
pooppants
Highly Voted 2 years, 1 month ago
Selected Answer: B
KMS Multi-region keys are required https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
upvoted 68 times
hypnozz
1 year, 5 months ago
The answer is C, because "Server-side encryption with Amazon S3 managed keys (SSE-S3) is the base level of encryption configuration for every bucket in Amazon S3. If you want to use a different type of default encryption, you can also specify server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) or customer-provided keys (SSE-C)" By using SSE-KMS, you can encrypt the data stored in the S3 buckets with a customer managed KMS key. This ensures that the data is protected and allows you to have control over the encryption key. By creating an S3 bucket in each Region and configuring replication between them, you can have data and key redundancy in both Regions.
upvoted 4 times
Clouddon
1 year, 3 months ago
Option B, AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. Each set of related multi-Region keys has the same key material and key ID, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS. You can use multi-Region keys with client-side encryption libraries, such as the AWS Encryption SDK, the DynamoDB Encryption Client, and Amazon S3 client-side encryption. For an example of using multi-Region keys with Amazon DynamoDB global tables and the DynamoDB Encryption Client, see Encrypt global data client-side with AWS KMS multi-Region keys in the AWS Security Blog. https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
upvoted 4 times
...
...
magazz
2 years ago
Amazon S3 cross-region replication decrypts and re-encrypts data under a KMS key in the destination Region, even when replicating objects protected by a multi-Region key. So stating that Amazon S3 cross-region replication decrypts and re-encrypts data under a KMS key in the destination Region, even when replicating objects protected by a multi-Region key is required is incorrect
upvoted 4 times
thanhvx1
1 year, 7 months ago
Option B involves configuring the application to use client-side encryption, which can increase the operational overhead of managing and securing the keys.
upvoted 2 times
...
TuLe
1 year, 12 months ago
@magazz: it's not true then. Based on the document from AWS https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html , we will need to setup the replication rule with destination KMS. In order to have the key available in more than 2, then multi-region key should be required. But I'm still not favor option B - we can use server-side when why wasting effort to do client side encryption.
upvoted 2 times
TuLe
1 year, 12 months ago
I would say it's true... Not sure the previous one say "not true" :D.
upvoted 1 times
JayBee65
1 year, 11 months ago
It's not clear what you are saying. Are you saying that B is correct or D is correct?
upvoted 2 times
karbob
1 year, 10 months ago
:D => is smile i thought
upvoted 2 times
...
...
...
...
...
Edwars
5 months, 2 weeks ago
I'd say D because multi-region keys can be used with server side encryption as well. "Multi-Region keys are supported in the AWS KMS console, the AWS KMS API, the AWS Encryption SDK, Amazon DynamoDB Encryption Client, and Amazon S3 Encryption Client. AWS services also let you configure multi-Region keys for server-side encryption in case you want the same key to protect data that needs both server-side and client-side encryption." https://aws.amazon.com/blogs/security/encrypt-global-data-client-side-with-aws-kms-multi-region-keys/
upvoted 2 times
...
Instantqueue
1 year, 1 month ago
It’s not correct because the question asks for server side encryption, not client side (before the objects reach the bucket).
upvoted 6 times
babayomi
2 months, 1 week ago
Note, The question did not ask for server side encryption, It stated Customer manages encryption. So reason why Customer side encryption makes the solution much easier and applicable. Hence B as an answer
upvoted 1 times
...
kelmryan1
6 months, 3 weeks ago
It says encrypt all data and the data originates from the application. Making it B
upvoted 1 times
...
...
Load full discussion...
...
KJa
Highly Voted 2 years, 1 month ago
Selected Answer: D
Cannot be A - question says customer managed key Cannot B - client side encryption is operational overhead Cannot C -as it says SSE-S3 instead of customer managed so the answer is D though it required one time setup of keys
upvoted 60 times
th3cookie
2 years ago
How does client side encryption increase OPERATIONAL overhead? Do you think every connected client is sitting there with gpg cli, decrypting/encrypting every packet that comes in/out? No, it's done via SDK -> https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html The correct answer is B because that's the only way to actually get the same key across multiple regions with minimal operational overhead
upvoted 14 times
kakka22
1 year, 7 months ago
"The data in both S3 buckets must be encrypted and decrypted with the same KMS key" Client side encryption means that key is generated in from the cient without storing that in the KMS...
upvoted 7 times
...
...
mattlai
2 years, 1 month ago
fun joke, if u dont do encryption on client side, where else could it be?
upvoted 1 times
Newptone
2 years ago
It could be server side. For client side, the application need to finish the encryption and decryption by itself. So S3 object encryption on the server side is less operational overhead. https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html But for option B, the major issue is if you create KMS keys in 2 regions, they can not be the same.
upvoted 7 times
Newptone
2 years ago
Sorry for the typo, I mean option D.
upvoted 2 times
...
...
...
Clouddon
1 year, 3 months ago
Kindly point at where server-side encryption support multi-region. It is only mention on the aws blog that client-side support multi-region.
upvoted 2 times
...
BoboChow
2 years, 1 month ago
The data in both S3 buckets must be encrypted and decrypted with the same KMS key. AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. "as though" means it's different. So I agree with B
upvoted 15 times
BoboChow
2 years, 1 month ago
key change across regions unless you use multi-Region keys
upvoted 2 times
...
pentium75
11 months ago
B includes replicating the data in the S3 buckets, which is not mentioned anywhere in the stem. It says that you need to store data in two buckets, not that you need to replicate content between buckets.
upvoted 1 times
Drew3000
8 months, 2 weeks ago
All the choices involve replication between the buckets.
upvoted 1 times
...
...
...
...
EzKkk
Most Recent 1 day, 20 hours ago
Selected Answer: B
The key to this question is the data is encrypted in 2 regions. If we were to use a region specific key to encrypt the data in S3, we will have to decrypt then re-encrypt the data in each region which increase operational complexity. Meanwhile, if we offload the responsibility of encrypting data to client side, then we no longer have to worry about such issue. Once the data in on AWS, we can use multi-region key managed by KMS to replicate data between regions.
upvoted 1 times
...
f51a8bd
1 week, 1 day ago
Respuesta B Crear una clave KMS en una región : Primero, cree una clave KMS administrada por el cliente (CMK) en la región principal (por ejemplo, us-east-1). Replicar la clave KMS en la segunda región : Usa la capacidad de réplica de claves de AWS KMS para replicar la clave de la región principal a la segunda región (por ejemplo, us-west-2). Esta réplica crea una clave independiente pero relacionada, lo que permite que el mismo material criptográfico esté disponible en ambas regiones. Configurar el cifrado en los depósitos de S3 : Configure los buckets de S3 en ambas regiones para que utilicen sus respectivas claves KMS (la clave original en la región primaria y la clave replicada en la región secundaria) para el cifrado. De esta forma, los datos se cifran y descifran localmente en cada región, utilizando la clave correspondiente en esa región.
upvoted 1 times
...
UncleA
4 weeks ago
Selected Answer: D
Correct choice
upvoted 1 times
...
aturret
1 month, 2 weeks ago
Selected Answer: D
Can't you guys see "it must be stored in KMS"?
upvoted 1 times
...
bignatov
2 months ago
Selected Answer: D
The Correct answer is D. The key requirement is: "The company must use an AWS Key Management Service (AWS KMS) customer managed key to encrypt all data that is stored in the S3 buckets." KMS doesn't work for client side encryption!!!
upvoted 2 times
...
tonybuivannghia
2 months ago
Selected Answer: D
D is correct answer.
upvoted 2 times
...
MrPCarrot
2 months, 1 week ago
Lets stick with B
upvoted 1 times
...
LibbyS
2 months, 3 weeks ago
Selected Answer: D
Customer managed key
upvoted 2 times
...
PaulGa
2 months, 3 weeks ago
Selected Answer: B
Ans B - multi-region keys
upvoted 2 times
...
DavidNgTan
3 months, 3 weeks ago
Selected Answer: D
SSE-S3 uses Amazon S3-managed keys, while SSE-KMS uses customer-managed keys (CMKs) in AWS KMS.
upvoted 2 times
...
KTEgghead
3 months, 3 weeks ago
Selected Answer: D
It is D Create a customer managed KMS key in AWS KMS. Configure your Amazon S3 buckets to use this CMK for server-side encryption (SSE-KMS). During data uploads, specify the CMK as the encryption key using the --sse-kms-key-id parameter. This ensures consistent encryption and decryption across both S3 buckets in different regions. You’ll have full control over the key, including rotation, access controls, and cross-account access. https://repost.aws/knowledge-center/s3-object-encryption-keys
upvoted 3 times
...
jasmine48718372
4 months ago
I think the answer was all stated clear in the question per sya. " The data and the key must be stored in each of the two Regions." make it really clear it's either C or D. Since the customer "must use AWS kMS customer managed key to encrypt all data...", the answer should be D.
upvoted 2 times
...
dekol347
4 months, 3 weeks ago
Selected Answer: D
https://aws.amazon.com/getting-started/hands-on/replicate-data-using-amazon-s3-replication/ https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html Basically, from two sources above, none mention to use KMS Multi Region (Option B), and client-side encryption. Option C is not really valid because SSE-S3 is AWS managed not customer managed. Option D is the most logical and straightforward solution, you can create customer managed SSE-KMS.
upvoted 3 times
...
jatric
4 months, 3 weeks ago
Selected Answer: D
D support Multi region key, use aws KMS (less overhead)
upvoted 2 times
...
ChymKuBoy
5 months, 1 week ago
Selected Answer: B
B for sure
upvoted 1 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel