Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 134 discussion

SSE-KMS vs SSE-S3 - The last seems to have less overhead (as the keys are automatically generated by S3 and applied on data at upload, and don't require further actions. KMS provides more flexibility, but in turn involves a different service, which finally is more "complex" than just managing one (S3). So A and B are excluded. If you are in doubt, you are having 2 buckets in A and B, while just keeping one in C and D. https://s3browser.com/server-side-encryption-types.aspx Decide between C and D is deciding on Athena or RDS. RDS is a relational db, and we have documents on S3, which is the use case for Athena. Athena is also serverless, which eliminates the need of controlling the underlying infrastructure and capacity. So C is the answer. https://aws.amazon.com/athena/

Answer is A: Amazon S3 Bucket Keys reduce the cost of Amazon S3 server-side encryption using AWS Key Management Service (SSE-KMS). This new bucket-level key for SSE can reduce AWS KMS request costs by up to 99 percent by decreasing the request traffic from Amazon S3 to AWS KMS. With a few clicks in the AWS Management Console, and without any changes to your client applications, you can configure your bucket to use an S3 Bucket Key for AWS KMS-based encryption on new objects. The Existing S3 bucket might have uncrypted data - encryption will apply new data received after the applying of encryption on the new bucket.

About typos: "kays" should be "keys", and "SL" should be "SQL". So you gotta choose between A and C (We need Athena!). About option C: SSE-S3 is a valid encryption method, just not as suitable as SSE-KMS with multi-Region keys for CRR. SSE-KMS with multi-Region keys simplifies key management in the destination Region.

A melhor opção para atender aos requisitos com a menor sobrecarga operacional é a opção A: A. Crie um novo bucket do S3. Carregue os dados no novo bucket do S3. Use a replicação entre regiões (CRR) do S3 para replicar objetos criptografados para um bucket do S3 em outra região. Use a criptografia no lado do servidor com chaves multirregionais do AWS KMS (SSE-KMS). Use o Amazon Athena para consultar os dados.Conclusão: A opção A é a escolha ideal, pois combina os recursos sem servidor do Amazon Athena, a segurança avançada do SSE-KMS com chaves multirregionais, e a replicação automática entre regiões com o S3 CRR, tudo com a menor sobrecarga operacional.

what is the different between create a new S3 bucket and load data into the existing S3 bucket? I don't get it this. Please..

Option A provides a serverless solution, advanced encryption with AWS KMS multi-region keys and cross-region replication with CRR, all with the lowest operational overhead. Amazon Athena is the ideal tool for analyzing data in S3 without the need for additional infrastructure.

RDS is relational DB so we need Athena for this

I think A is correct because SSE-S3 doesn't support multi-region key management, but SSE-KMS has.

Ans A - once you realise "SL" is a typo for "ML" then its only the Athena options, and in the case of option it means setting up a new S3 bucket

"Unencrypted objects and objects encrypted with SSE-S3 are replicated by default." (stephane maarek course)

gpt-4 says A

C for sure

Since S3 has provides the automatic encryption for the storage objects, create another bucket is redundant, C has the least operational overhead.

What do mean by 'load the data into the existing bucket' ! the data is already staying in the existing bucket !

from @pentium75 Data in S3 is queried with Athena, not RDS, thus B and D are out. A requires a new bucket and loading data into that - Why, since data is already in S3? It says to enable CRR only after loading the data, so existing data won't be replicated anyway. C uses existing data (less operational overhead compared to loading data into a new bucket) and SSE-E3 (less operational overhead than SSE-KMS).

Option B suggests using Amazon RDS to query the data, which introduces additional complexity compared to using Amazon Athena. Option C suggests using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) instead of AWS KMS multi-Region keys, which might not meet the encryption requirements. Option D also suggests using Amazon RDS to query the data, which, as mentioned earlier, is not the best choice for a serverless solution and would result in higher operational overhead.

The answer is A because SSE-S3 does not support cross-region replication of encrypted data. If you perform cross-region replication, you will have to re-encrypt the data.