Question #2028
A company uses server-side encryption with AWS KMS keys (SSE-KMS) for data stored in an Amazon S3 bucket. The objects are accessed hundreds of times daily, and the company observes high costs due to frequent API calls to AWS KMS. The company must maintain encryption compliance but wants to reduce costs by minimizing AWS KMS requests without disabling encryption or changing their KMS key management strategy.
Which solution will meet these requirements?
Migrate to server-side encryption with Amazon S3 managed keys (SSE-S3) for all existing and new objects.
Enable S3 Bucket Keys for server-side encryption with AWS KMS keys (SSE-KMS) on the bucket.
Implement client-side encryption using AWS KMS customer managed keys for new object uploads.
Switch to server-side encryption with customer-provided keys (SSE-C) stored in AWS KMS for all objects.
Explanation
The correct answer is B. S3 Bucket Keys work with SSE-KMS to create a bucket-level data key that is used to encrypt objects, reducing the need for frequent KMS API calls. Instead of calling AWS KMS for every object encryption/decryption, the bucket key is reused for a short period, significantly lowering costs while maintaining encryption compliance.
Option A changes the encryption method to SSE-S3, which violates the requirement to keep KMS key management. Option C introduces client-side encryption, which does not reduce KMS API calls and adds complexity. Option D uses SSE-C, which requires manual key management and does not integrate with KMS for key storage as described. Thus, B is the only solution that meets all requirements.
Answer
The correct answer is: B