Logo
AWS Certified Solutions Architect - Professional / Question #785 of 529

Question #785

A company stores millions of objects in an Amazon S3 bucket using the S3 Standard storage class. All objects are accessed frequently by a growing number of users and applications. The objects are encrypted using server-side encryption with AWS KMS keys (SSE-KMS). The company observes a significant increase in AWS KMS costs due to the high volume of encryption requests from S3. A solutions architect must reduce costs while minimizing application changes.

Which solution meets these requirements with the LEAST operational overhead?

A

Create a new S3 bucket configured for server-side encryption with customer-provided keys (SSE-C). Use S3 Batch Operations to copy existing objects to the new bucket and apply SSE-C encryption.
B

Create a new S3 bucket configured for server-side encryption with Amazon S3 managed keys (SSE-S3). Use S3 Batch Operations to copy existing objects to the new bucket and apply SSE-S3 encryption.
C

Migrate encryption keys to AWS CloudHSM. Create a new S3 bucket and use S3 Batch Operations to copy objects while encrypting them with CloudHSM-managed keys.
D

Transition the S3 bucket to the S3 Intelligent-Tiering storage class. Configure an archive policy to move objects not accessed for 30 days to S3 Glacier Instant Retrieval.

Explanation

Answer B is correct because:
1. SSE-S3 vs. SSE-KMS Costs: SSE-KMS incurs charges per encryption/decryption request, while SSE-S3 uses S3-managed keys with no per-request costs, directly addressing the cost issue.
2. Minimal Application Changes: SSE-S3 is server-side encryption, so applications interacting with S3 do not need to handle encryption keys, unlike SSE-C (Option A) or CloudHSM (Option C).
3. Operational Simplicity: S3 Batch Operations automates copying objects to a new bucket with SSE-S3 encryption, avoiding manual intervention.

Why other options are incorrect:
- A (SSE-C): Requires managing customer-provided keys, increasing operational complexity and application changes.
- C (CloudHSM): Introduces high costs and complexity for key management without solving the KMS request cost issue.
- D (Intelligent-Tiering): Changes storage class but does not alter encryption method (SSE-KMS costs remain).

Key Points:
- SSE-S3 eliminates KMS per-request costs.
- S3 Batch Operations enables bulk encryption updates.
- Minimizing application changes is critical.

Answer

The correct answer is: B