Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 134 discussion

SSE-KMS vs SSE-S3 - The last seems to have less overhead (as the keys are automatically generated by S3 and applied on data at upload, and don't require further actions. KMS provides more flexibility, but in turn involves a different service, which finally is more "complex" than just managing one (S3). So A and B are excluded. If you are in doubt, you are having 2 buckets in A and B, while just keeping one in C and D. https://s3browser.com/server-side-encryption-types.aspx Decide between C and D is deciding on Athena or RDS. RDS is a relational db, and we have documents on S3, which is the use case for Athena. Athena is also serverless, which eliminates the need of controlling the underlying infrastructure and capacity. So C is the answer. https://aws.amazon.com/athena/

Answer is A: Amazon S3 Bucket Keys reduce the cost of Amazon S3 server-side encryption using AWS Key Management Service (SSE-KMS). This new bucket-level key for SSE can reduce AWS KMS request costs by up to 99 percent by decreasing the request traffic from Amazon S3 to AWS KMS. With a few clicks in the AWS Management Console, and without any changes to your client applications, you can configure your bucket to use an S3 Bucket Key for AWS KMS-based encryption on new objects. The Existing S3 bucket might have uncrypted data - encryption will apply new data received after the applying of encryption on the new bucket.

RDS is relational DB so we need Athena for this

I think A is correct because SSE-S3 doesn't support multi-region key management, but SSE-KMS has.

Ans A - once you realise "SL" is a typo for "ML" then its only the Athena options, and in the case of option it means setting up a new S3 bucket

"Unencrypted objects and objects encrypted with SSE-S3 are replicated by default." (stephane maarek course)

gpt-4 says A

C for sure

Since S3 has provides the automatic encryption for the storage objects, create another bucket is redundant, C has the least operational overhead.

What do mean by 'load the data into the existing bucket' ! the data is already staying in the existing bucket !

from @pentium75 Data in S3 is queried with Athena, not RDS, thus B and D are out. A requires a new bucket and loading data into that - Why, since data is already in S3? It says to enable CRR only after loading the data, so existing data won't be replicated anyway. C uses existing data (less operational overhead compared to loading data into a new bucket) and SSE-E3 (less operational overhead than SSE-KMS).

Option B suggests using Amazon RDS to query the data, which introduces additional complexity compared to using Amazon Athena. Option C suggests using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) instead of AWS KMS multi-Region keys, which might not meet the encryption requirements. Option D also suggests using Amazon RDS to query the data, which, as mentioned earlier, is not the best choice for a serverless solution and would result in higher operational overhead.

The answer is A because SSE-S3 does not support cross-region replication of encrypted data. If you perform cross-region replication, you will have to re-encrypt the data.

awai it is correct

As per Amazon Q: The easiest way to encrypt existing objects in S3 is to use server-side encryption with S3-managed keys (SSE-S3). Here are the basic steps: 1. Enable SSE-S3 on the target S3 bucket if it is not already enabled. This will ensure all new or copied objects are encrypted automatically. 2. Create an S3 inventory report for the source bucket containing the objects. This will generate a CSV file with metadata of all objects. 3. Use S3 Select or AWS Athena to query the inventory report and filter for only unencrypted objects. 4. Create an S3 Batch Operations job to copy the filtered unencrypted objects to the target bucket. The copy operation will automatically encrypt the objects using the bucket's SSE-S3 configuration.

Data in S3 is queried with Athena, not RDS, thus B and D are out. A requires a new bucket and loading data into that - Why, since data is already in S3? It says to enable CRR only after loading the data, so existing data won't be replicated anyway. C uses existing data (less operational overhead compared to loading data into a new bucket) and SSE-E3 (less operational overhead than SSE-KMS).

I selected A because SSE-S3 keys are not multi-regional keys. You must use SSE-KMS for the multi-regional keys and then for serverless its Aurora.