Learn how to reduce AWS KMS costs for frequently accessed Amazon S3 objects while minimizing operational overhead. Discover the optimal solution for your organization.
Table of Contents
Question
A company has millions of objects in an Amazon S3 bucket. The objects are in the S3 Standard storage class. All the S3 objects are accessed frequently. The number of users and applications that access the objects is increasing rapidly. The objects are encrypted with server-side encryption with AWS KMS keys (SSE-KMS).
A solutions architect reviews the company’s monthly AWS invoice and notices that AWS KMS costs are increasing because of the high number of requests from Amazon S3. The solutions architect needs to optimize costs with minimal changes to the application.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create a new S3 bucket that has server-side encryption with customer-provided keys (SSE-C) as the encryption type. Copy the existing objects to the new S3 bucket. Specify SSE-C.
B. Create a new S3 bucket that has server-side encryption with Amazon S3 managed keys (SSE-S3) as the encryption type. Use S3 Batch Operations to copy the existing objects to the new S3 bucket. Specify SSE-S3.
C. Use AWS CloudHSM to store the encryption keys. Create a new S3 bucket. Use S3 Batch Operations to copy the existing objects to the new S3 bucket. Encrypt the objects by using the keys from CloudHSM.
D. Use the S3 Intelligent-Tiering storage class for the S3 bucket. Create an S3 Intelligent-Tiering archive configuration to transition objects that are not accessed for 90 days to S3 Glacier Deep Archive.
Answer
B. Create a new S3 bucket that has server-side encryption with Amazon S3 managed keys (SSE-S3) as the encryption type. Use S3 Batch Operations to copy the existing objects to the new S3 bucket. Specify SSE-S3.
Explanation
Option A requires minimal changes to the application, but it introduces additional operational overhead. The company would need to manage the encryption keys themselves, which could be complex and time-consuming.
Option C requires even more operational overhead, as it involves using AWS CloudHSM to store the encryption keys and manually encrypting the objects using those keys.
Option D does not address the issue of high KMS costs. S3 Intelligent-Tiering is a storage class that helps optimize storage costs by automatically moving infrequently accessed objects to a lower-cost storage tier. However, it does not address the high KMS costs associated with the frequent access of the objects.
In contrast, option B offers a straightforward solution that minimizes operational overhead. By creating a new S3 bucket with SSE-S3 encryption, the company can leverage Amazon S3’s managed keys, which eliminates the need for manual key management. Additionally, using S3 Batch Operations to copy the existing objects to the new S3 bucket ensures a seamless transition without disrupting the application.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.