ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 36 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 36
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company is building an application in the AWS Cloud. The application will store data in Amazon S3 buckets in two AWS Regions. The company must use an AWS Key Management Service (AWS KMS) customer managed key to encrypt all data that is stored in the S3 buckets. The data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions.
Which solution will meet these requirements with the LEAST operational overhead?

  • A. Create an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.
  • B. Create a customer managed multi-Region KMS key. Create an S3 bucket in each Region. Configure replication between the S3 buckets. Configure the application to use the KMS key with client-side encryption.
  • C. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.
  • D. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with AWS KMS keys (SSE-KMS). Configure replication between the S3 buckets.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by CloudGuru99 at Oct. 8, 2022, 5:51 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
pooppants
Highly Voted 2 years, 3 months ago
Selected Answer: B
KMS Multi-region keys are required https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
upvoted 70 times
hypnozz
1 year, 8 months ago
The answer is C, because "Server-side encryption with Amazon S3 managed keys (SSE-S3) is the base level of encryption configuration for every bucket in Amazon S3. If you want to use a different type of default encryption, you can also specify server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) or customer-provided keys (SSE-C)" By using SSE-KMS, you can encrypt the data stored in the S3 buckets with a customer managed KMS key. This ensures that the data is protected and allows you to have control over the encryption key. By creating an S3 bucket in each Region and configuring replication between them, you can have data and key redundancy in both Regions.
upvoted 5 times
Clouddon
1 year, 6 months ago
Option B, AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. Each set of related multi-Region keys has the same key material and key ID, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS. You can use multi-Region keys with client-side encryption libraries, such as the AWS Encryption SDK, the DynamoDB Encryption Client, and Amazon S3 client-side encryption. For an example of using multi-Region keys with Amazon DynamoDB global tables and the DynamoDB Encryption Client, see Encrypt global data client-side with AWS KMS multi-Region keys in the AWS Security Blog. https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
upvoted 6 times
...
aatikah
1 month, 3 weeks ago
Does NOT meet the requirement of using a customer managed KMS key
upvoted 1 times
...
...
magazz
2 years, 2 months ago
Amazon S3 cross-region replication decrypts and re-encrypts data under a KMS key in the destination Region, even when replicating objects protected by a multi-Region key. So stating that Amazon S3 cross-region replication decrypts and re-encrypts data under a KMS key in the destination Region, even when replicating objects protected by a multi-Region key is required is incorrect
upvoted 5 times
thanhvx1
1 year, 10 months ago
Option B involves configuring the application to use client-side encryption, which can increase the operational overhead of managing and securing the keys.
upvoted 2 times
...
TuLe
2 years, 2 months ago
@magazz: it's not true then. Based on the document from AWS https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html , we will need to setup the replication rule with destination KMS. In order to have the key available in more than 2, then multi-region key should be required. But I'm still not favor option B - we can use server-side when why wasting effort to do client side encryption.
upvoted 2 times
TuLe
2 years, 2 months ago
I would say it's true... Not sure the previous one say "not true" :D.
upvoted 1 times
JayBee65
2 years, 2 months ago
It's not clear what you are saying. Are you saying that B is correct or D is correct?
upvoted 2 times
karbob
2 years, 1 month ago
:D => is smile i thought
upvoted 2 times
...
...
...
...
...
Edwars
8 months, 1 week ago
I'd say D because multi-region keys can be used with server side encryption as well. "Multi-Region keys are supported in the AWS KMS console, the AWS KMS API, the AWS Encryption SDK, Amazon DynamoDB Encryption Client, and Amazon S3 Encryption Client. AWS services also let you configure multi-Region keys for server-side encryption in case you want the same key to protect data that needs both server-side and client-side encryption." https://aws.amazon.com/blogs/security/encrypt-global-data-client-side-with-aws-kms-multi-region-keys/
upvoted 3 times
...
Instantqueue
1 year, 4 months ago
It’s not correct because the question asks for server side encryption, not client side (before the objects reach the bucket).
upvoted 8 times
babayomi
5 months ago
Note, The question did not ask for server side encryption, It stated Customer manages encryption. So reason why Customer side encryption makes the solution much easier and applicable. Hence B as an answer
upvoted 1 times
...
kelmryan1
9 months, 1 week ago
It says encrypt all data and the data originates from the application. Making it B
upvoted 1 times
...
...
Load full discussion...
...
KJa
Highly Voted 2 years, 3 months ago
Selected Answer: D
Cannot be A - question says customer managed key Cannot B - client side encryption is operational overhead Cannot C -as it says SSE-S3 instead of customer managed so the answer is D though it required one time setup of keys
upvoted 67 times
th3cookie
2 years, 2 months ago
How does client side encryption increase OPERATIONAL overhead? Do you think every connected client is sitting there with gpg cli, decrypting/encrypting every packet that comes in/out? No, it's done via SDK -> https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html The correct answer is B because that's the only way to actually get the same key across multiple regions with minimal operational overhead
upvoted 14 times
kakka22
1 year, 10 months ago
"The data in both S3 buckets must be encrypted and decrypted with the same KMS key" Client side encryption means that key is generated in from the cient without storing that in the KMS...
upvoted 7 times
...
...
mattlai
2 years, 3 months ago
fun joke, if u dont do encryption on client side, where else could it be?
upvoted 1 times
Newptone
2 years, 3 months ago
It could be server side. For client side, the application need to finish the encryption and decryption by itself. So S3 object encryption on the server side is less operational overhead. https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html But for option B, the major issue is if you create KMS keys in 2 regions, they can not be the same.
upvoted 7 times
Newptone
2 years, 3 months ago
Sorry for the typo, I mean option D.
upvoted 2 times
...
...
...
Clouddon
1 year, 6 months ago
Kindly point at where server-side encryption support multi-region. It is only mention on the aws blog that client-side support multi-region.
upvoted 2 times
...
BoboChow
2 years, 3 months ago
The data in both S3 buckets must be encrypted and decrypted with the same KMS key. AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. "as though" means it's different. So I agree with B
upvoted 15 times
BoboChow
2 years, 3 months ago
key change across regions unless you use multi-Region keys
upvoted 2 times
...
pentium75
1 year, 1 month ago
B includes replicating the data in the S3 buckets, which is not mentioned anywhere in the stem. It says that you need to store data in two buckets, not that you need to replicate content between buckets.
upvoted 1 times
Drew3000
11 months ago
All the choices involve replication between the buckets.
upvoted 1 times
...
...
...
...
Krenil
Most Recent 3 days, 21 hours ago
Selected Answer: D
Correct Ans: D Option B is not the best solution because it involves client-side encryption, which adds unnecessary complexity and operational overhead. Here's why: Client-side encryption means that the application itself must handle the encryption and decryption of data before it is uploaded to S3 and after it is downloaded. This requires additional development work, key management, and the management of encryption and decryption logic in the application. In contrast, SSE-KMS (option D) allows Amazon S3 to manage the encryption and decryption process automatically on the server side, which reduces operational overhead and simplifies the implementation.
upvoted 1 times
...
Tika57
6 days, 18 hours ago
Selected Answer: D
B and D are in short list (using customer managed key and KMS) but B requires that each client encrypts the data before sending it, wheras the D is totally transparent so with "LEAST overhead"
upvoted 1 times
...
dariar
1 week, 6 days ago
Selected Answer: D
For me the answer is D. It could also be the B-answer, but whet it asks "Configure the application ", it sounds like the "operational overhead", so it's eliminatory for me
upvoted 1 times
...
AtiiF
2 weeks, 2 days ago
Selected Answer: D
=======> D
upvoted 1 times
...
V2910
2 weeks, 3 days ago
Selected Answer: D
Difference between B and D is server side encryption
upvoted 1 times
...
CloudExpert01
2 weeks, 5 days ago
Selected Answer: B
Mentioning of the "multi-Region KMS key" https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
upvoted 1 times
...
aefuen1
1 month, 2 weeks ago
Selected Answer: B
It's B, it has to use the same key in both regions.
upvoted 2 times
...
pg6058
1 month, 3 weeks ago
Selected Answer: B
Multi-Region KMS keys supports client-side encryption https://aws.amazon.com/about-aws/whats-new/2021/06/kms-multi-region-keys/
upvoted 1 times
...
Upchar
1 month, 3 weeks ago
Selected Answer: D
Option D is the most appropriate solution because: -It uses SSE-KMS with a customer managed KMS key, which satisfies the encryption requirement. -It supports cross-region replication with minimal operational overhead. -It meets the company's needs of using the same key across both regions without introducing extra complexity.
upvoted 1 times
...
aatikah
1 month, 3 weeks ago
Selected Answer: D
Option D: Creates a customer managed KMS key Uses server-side encryption with AWS KMS keys (SSE-KMS) Allows using the same KMS key across both Regions Minimal operational overhead Meets all the specified requirements The key differences that make Option D the best solution: It uses a customer managed KMS key Implements server-side encryption (SSE-KMS) Allows easy replication between S3 buckets Provides the least operational overhead
upvoted 1 times
...
chirag_a_parikh
1 month, 3 weeks ago
Selected Answer: B
S3 belongs to two region hence needed multi region keys
upvoted 1 times
...
EllenLiu
1 month, 4 weeks ago
Selected Answer: B
it is all about multi-region key. AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. Each set of related multi-Region keys has the same key material and key ID, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS. You can use multi-Region keys with client-side encryption libraries such as S3 client-side encryption https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
upvoted 1 times
EllenLiu
1 month, 4 weeks ago
if D mentioned multi-region key, that is correct as well , however it doesn't.
upvoted 1 times
...
...
S3venM
2 months, 2 weeks ago
La opción D es la correcta y la que presenta la menor sobrecarga operativa porque: Utiliza una clave KMS gestionada por el cliente, cumpliendo con el requisito de seguridad. La encriptación del lado del servidor con SSE-KMS permite que AWS maneje automáticamente la encriptación y desencriptación, reduciendo la carga sobre la aplicación del cliente. Configurar la replicación entre los buckets S3 es un proceso estándar en AWS que no añade complejidad significativa. Por lo tanto, la opción D es la más eficiente y menos complicada operativamente para cumplir con los requisitos dados.
upvoted 1 times
...
EzKkk
2 months, 2 weeks ago
Selected Answer: B
The key to this question is the data is encrypted in 2 regions. If we were to use a region specific key to encrypt the data in S3, we will have to decrypt then re-encrypt the data in each region which increase operational complexity. Meanwhile, if we offload the responsibility of encrypting data to client side, then we no longer have to worry about such issue. Once the data in on AWS, we can use multi-region key managed by KMS to replicate data between regions.
upvoted 1 times
...
f51a8bd
2 months, 3 weeks ago
Respuesta B Crear una clave KMS en una región : Primero, cree una clave KMS administrada por el cliente (CMK) en la región principal (por ejemplo, us-east-1). Replicar la clave KMS en la segunda región : Usa la capacidad de réplica de claves de AWS KMS para replicar la clave de la región principal a la segunda región (por ejemplo, us-west-2). Esta réplica crea una clave independiente pero relacionada, lo que permite que el mismo material criptográfico esté disponible en ambas regiones. Configurar el cifrado en los depósitos de S3 : Configure los buckets de S3 en ambas regiones para que utilicen sus respectivas claves KMS (la clave original en la región primaria y la clave replicada en la región secundaria) para el cifrado. De esta forma, los datos se cifran y descifran localmente en cada región, utilizando la clave correspondiente en esa región.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago