Logo
AWS Certified Solutions Architect - Professional / Question #982 of 529

Question #982

A company stores and manages critical data in an Amazon Elastic File System (Amazon EFS) file system encrypted with an AWS Key Management Service (AWS KMS) key. The file system is mounted on an Amazon EC2 instance hosting a proprietary application. Automatic backups are enabled using the AWS Backup default backup plan. The company requires the ability to recover deleted data within a Recovery Point Objective (RPO) of 90 minutes. Which solution meets these requirements?

A

Create a new IAM role. Configure a new backup plan with the new IAM role. Update the KMS key policy to grant the new role access. Schedule backups every 60 minutes using a cron expression.
B

Create a new backup plan. Update the KMS key policy to allow the AWSServiceRoleForBackup IAM role to use the key. Configure a custom cron expression to back up the file system every 90 minutes.
C

Use the existing backup plan. Update the KMS key policy to allow the AWSServiceRoleForBackup IAM role. Enable continuous backups for point-in-time recovery on the EFS file system.
D

Use the existing backup plan. Update the KMS key policy to allow Cross-Region Replication. Enable backups in a secondary AWS Region every 60 minutes.

Explanation

Option B is correct because:
1. Custom Backup Schedule: The default AWS Backup plan schedules daily backups, which do not meet the 90-minute RPO. Creating a new backup plan with a cron expression for every 90 minutes ensures backups are taken within the required RPO.
2. KMS Key Policy Update: The AWS Backup service uses the AWSServiceRoleForBackup IAM role. Updating the KMS key policy to grant this role access ensures encrypted EFS backups can be created.

Other options are incorrect because:
- A: Creating a new IAM role is unnecessary since AWS Backup uses the predefined AWSServiceRoleForBackup.
- C: While enabling EFS continuous backups (PITR) provides near-real-time recovery, the question specifies using AWS Backup, making this option irrelevant.
- D: Cross-Region Replication does not address the RPO requirement for recovering deleted data within 90 minutes.

Key Points:
- AWS Backup requires the AWSServiceRoleForBackup role to have KMS key access for encrypted resources.
- Custom backup plans with cron expressions allow granular scheduling to meet RPO requirements.

Answer

The correct answer is: B