Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 216 discussion

Step 1: S3 inventory to get object list Step 2 (If needed): Use S3 Select to filter Step 3: S3 object operations to encrypt the unencrypted objects. On the going object use default encryption.

By enabling default encryption settings on the S3, all newly added objects will be automatically encrypted. To encrypt the existing objects, the S3 Inventory feature can be used to generate a list of unencrypted objects. Then, an S3 Batch Operations job can be executed to copy those objects while applying encryption. A. This solution involves creating a new S3 and manually downloading and uploading all existing objects. It requires significant effort and time to transfer millions of objects, making it a less efficient solution. C. While enabling SSE with AWS KMS is a valid approach to encrypt objects in an S3, it does not address the requirement of encrypting existing objects. It only applies encryption to new objects added to the bucket. D. Manually modifying each object in the S3 to apply default encryption settings is a labor-intensive and error-prone process. It would require individually selecting and modifying each unencrypted object, which is impractical for a large number of objects.

Option B uses AWS tools like S3 Default Encryption, Inventory, and Batch Operations to enable encryption for both existing and future objects with minimal effort and automation, making it the best solution. Why not the other options? A. Create a new S3 bucket and migrate objects: This involves downloading and re-uploading all objects, which is highly manual, time-consuming, and prone to errors. It also incurs additional data transfer costs. C. Use SSE-KMS and turn on versioning: While enabling SSE-KMS for future objects is valid, this does not encrypt the existing objects unless explicitly copied or rewritten, requiring additional manual effort. D. Browse and modify objects manually: Manually selecting and encrypting each object is impractical for a bucket with millions of objects, as it is labor-intensive and time-consuming.

to be fair all these options take a hell a lot of work to do but i think the least amount of effort is B. https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/

A - Extreme amount of effort B - Should work C - SSE-KMS is not "least amount of effort" compared to SSE-S3; Turning versioning is not required to achieve the result but on the contrary, it will cause the non-encrypted files to remain as old versions even if you encrypt them in the future. D - Even more effort as A

B... https://catalog.us-east-1.prod.workshops.aws/workshops/05f16f1a-0bbf-45a7-a304-4fcd7fca3d1f/en-US/s3-track/module-2 You're welcome

Amazon S3 now configures default encryption on all existing unencrypted buckets to apply server-side encryption with S3 managed keys (SSE-S3) as the base level of encryption for new objects uploaded to these buckets. Objects that are already in an existing unencrypted bucket won't be automatically encrypted. https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html

https://docs.aws.amazon.com/AmazonS3/latest/userguide/batch-ops-copy-example-bucket-key.html

B is the correct answer

B 100% https://spin.atomicobject.com/2020/09/15/aws-s3-encrypt-existing-objects/

Why is no one discussing A ? I think A can also achieve the required results. B is the most appropriate answer though.

S3 provides a single control to automatically encrypt all new objects in a bucket with SSE-S3 or SSE-KMS. Unfortunately, these controls only affect new objects. If your bucket already contains millions of unencrypted objects, then turning on automatic encryption does not make your bucket secure as the unencrypted objects remain. For S3 buckets with a large number of objects (millions to billions), use Amazon S3 Inventory to get a list of the unencrypted objects, and Amazon S3 Batch Operations to encrypt the large number of old, unencrypted files.

S3 provides a single control to automatically encrypt all new objects in a bucket with SSE-S3 or SSE-KMS. Unfortunately, these controls only affect new objects. If your bucket already contains millions of unencrypted objects, then turning on automatic encryption does not make your bucket secure as the unencrypted objects remain. For S3 buckets with a large number of objects (millions to billions), use Amazon S3 Inventory to get a list of the unencrypted objects, and Amazon S3 Batch Operations to encrypt the large number of old, unencrypted files.

C is wrong. Even though you turn on the SSE-KMS with a new key, the existing objects are still yet to be encrypted. They still need to be manually encrypted by AWS batch

https://spin.atomicobject.com/2020/09/15/aws-s3-encrypt-existing-objects/

C is the answer

Agree with Parsons