Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 134 discussion

SSE-KMS vs SSE-S3 - The last seems to have less overhead (as the keys are automatically generated by S3 and applied on data at upload, and don't require further actions. KMS provides more flexibility, but in turn involves a different service, which finally is more "complex" than just managing one (S3). So A and B are excluded. If you are in doubt, you are having 2 buckets in A and B, while just keeping one in C and D. https://s3browser.com/server-side-encryption-types.aspx Decide between C and D is deciding on Athena or RDS. RDS is a relational db, and we have documents on S3, which is the use case for Athena. Athena is also serverless, which eliminates the need of controlling the underlying infrastructure and capacity. So C is the answer. https://aws.amazon.com/athena/

Answer is A: Amazon S3 Bucket Keys reduce the cost of Amazon S3 server-side encryption using AWS Key Management Service (SSE-KMS). This new bucket-level key for SSE can reduce AWS KMS request costs by up to 99 percent by decreasing the request traffic from Amazon S3 to AWS KMS. With a few clicks in the AWS Management Console, and without any changes to your client applications, you can configure your bucket to use an S3 Bucket Key for AWS KMS-based encryption on new objects. The Existing S3 bucket might have uncrypted data - encryption will apply new data received after the applying of encryption on the new bucket.

since the requirement is "The serverless solution needs to analyze existing and new data", the answer C seems to be more appropriate since all the data will be in 1 bucket

Amazon S3 + Athena is a fully serverless data analytics solution (no infrastructure to manage). S3 Cross-Region Replication (CRR) enables automatic, asynchronous replication of objects across AWS Regions, satisfying the replication requirement. SSE-KMS with multi-Region keys ensures that the data is encrypted and can be decrypted in the destination Region, which is crucial for cross-region analytics and compliance. Athena is used for analyzing data directly in S3 using SQL, which meets the requirement to analyze existing and new data using SQL (SL was a typo). This option delivers everything with the least operational overhead — no server provisioning, no DB management, and built-in encryption + replication.

you can apply cross-region replication to an existing Amazon S3 bucket, but it will only replicate new objects after the replication rule is configured. To replicate existing objects, you'll need to use S3 Batch Replication.

I went for A because, if you start to encrypt only new data then 1. You will have an inconsistently solution for security. I think it fair to assume that if they want all new data encrypted, then all data should be encrypted 2. the serverless function will become more complex as it will have to establish whether the data is encrypted or not every time it retrieves an object. Therefore you need to create a new S3 bucket so that all data will be encrypted

fewer services = less operational overhead managed services/serverless = less operational overhead

If you want a straightforward approach to encrypting your S3 data without managing your own encryption keys, SSE-S3 is a good option. you need AWS KMS for this complex solution

A new bucket is needed to encrypt objects. C uses existing bucket.

About typos: "kays" should be "keys", and "SL" should be "SQL". So you gotta choose between A and C (We need Athena!). About option C: SSE-S3 is a valid encryption method, just not as suitable as SSE-KMS with multi-Region keys for CRR. SSE-KMS with multi-Region keys simplifies key management in the destination Region.

A melhor opção para atender aos requisitos com a menor sobrecarga operacional é a opção A: A. Crie um novo bucket do S3. Carregue os dados no novo bucket do S3. Use a replicação entre regiões (CRR) do S3 para replicar objetos criptografados para um bucket do S3 em outra região. Use a criptografia no lado do servidor com chaves multirregionais do AWS KMS (SSE-KMS). Use o Amazon Athena para consultar os dados.Conclusão: A opção A é a escolha ideal, pois combina os recursos sem servidor do Amazon Athena, a segurança avançada do SSE-KMS com chaves multirregionais, e a replicação automática entre regiões com o S3 CRR, tudo com a menor sobrecarga operacional.

what is the different between create a new S3 bucket and load data into the existing S3 bucket? I don't get it this. Please..

Option A provides a serverless solution, advanced encryption with AWS KMS multi-region keys and cross-region replication with CRR, all with the lowest operational overhead. Amazon Athena is the ideal tool for analyzing data in S3 without the need for additional infrastructure.

RDS is relational DB so we need Athena for this

I think A is correct because SSE-S3 doesn't support multi-region key management, but SSE-KMS has.

Ans A - once you realise "SL" is a typo for "ML" then its only the Athena options, and in the case of option it means setting up a new S3 bucket

"Unencrypted objects and objects encrypted with SSE-S3 are replicated by default." (stephane maarek course)