Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 91 discussion

Answer is A Keyword is "The S3 buckets have millions of objects" If there are million of objects then you should use Batch operations. https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/

This is outdated now. "Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance." https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html

S3 Batch Operations can be used to efficiently apply changes to a large number of objects in a bucket, including copying and encrypting them in place. This is ideal for retroactively encrypting millions of existing objects without needing to manually handle them one by one.

I understand S3 Batch operations is required. But why no one is choosing SSE-KMS?

To encrypt your existing unencrypted Amazon S3 objects, you can use Amazon S3 Batch Operations. You provide S3 Batch Operations with a list of objects to operate on, and Batch Operations calls the respective API to perform the specified operation. You can use the Batch Operations Copy operation to copy existing unencrypted objects and write them back to the same bucket as encrypted objects. A single Batch Operations job can perform the specified operation on billions of objects. https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html

A = correct (see https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/) B = KMS is for SSE-KMS not for the requested SSE-S3 C = CLI is less efficient than S3 Batch D = see answer B

A is the right answer

Correct answer should be A. But this question seem too old to be true now since SSE-S3 based encryption is by default enabled and can't be disabled (you can change however) since Jan 2023.

Since SSE-S3 does not support cross-account replication, answer should be D

In a cross-account scenario, where the source and destination buckets are owned by different AWS accounts, you can use a KMS key to encrypt object replicas. However, the KMS key owner must grant the source bucket owner permission to use the KMS key. https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html#replication-kms-cross-acct-scenario S3 Batch operation: https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/

S3 Batch operation is the MOST operationally efficient way for millions objects

Answer is A

A more efficient

I vote for A. Batch operations is better for such a high number of objects

https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/ The launch of S3 default encryption feature automate the wok of encrypting new objects, and you asked for similar, straightforward ways to encrypt existing objects in your buckets. While tools and scripts exist to do this work, each one requires some development work to set up. S3 batch operations gives you a solution for encrypting large number of archived files. This can also be done by CLI, Option C, however, the same article refers to Batch Operations in case you have a large bucket with millions of objects. https://aws.amazon.com/blogs/storage/encrypting-existing-amazon-s3-objects-with-the-aws-cli/ Option A should be the most efficient, even though it has more operational cost to implement but the question is the about efficiency, it would take to much time to complete this using CLI (Option C).

A is much more efficient

A and C seems to be correct but using batch requires more steps. https://aws.amazon.com/blogs/storage/encrypting-existing-amazon-s3-objects-with-the-aws-cli/