AWS Certified SAP on AWS – Specialty (PAS-C01) — Question 3

A company is implementing SAP HANA on AWS. According to the company’s security policy, SAP backups must be encrypted. Only authorized team members can have the ability to decrypt the SAP backups.
What is the MOST operationally efficient solution that meets these requirements?

Answer options

• A. Configure AWS Backint Agent for SAP HANA to create SAP backups in an Amazon S3 bucket. After a backup is created, encrypt the backup by using client-side encryption. Share the encryption key with authorized team members only.
• B. Configure AWS Backint Agent for SAP HANA to use AWS Key Management Service (AWS KMS) for SAP backups. Create a key policy to grant decryption permission to authorized team members only.
• C. Configure AWS Storage Gateway to transfer SAP backups from a file system to an Amazon S3 bucket. Use an S3 bucket policy to grant decryption permission to authorized team members only.
• D. Configure AWS Backint Agent for SAP HANA to use AWS Key Management Service (AWS KMS) for SAP backups. Grant object ACL decryption permission to authorized team members only.

Correct answer: B

Explanation

Option B is the best choice because using AWS Key Management Service (AWS KMS) provides a centralized and efficient way to manage encryption keys and permissions. Options A and C involve less efficient client-side encryption and may complicate key management, while option D, while using KMS, relies on ACLs which are less manageable than KMS key policies.