AWS Certified Solutions Architect – Associate (SAA-C02) — Question 778

A company is building an application in the AWS Cloud. The application will store data in Amazon S3 buckets in two AWS Regions. The company must use an
AWS Key Management Service (AWS KMS) customer managed key to encrypt all data that is stored in the S3 buckets. The data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions.
Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Create an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.
• B. Create a customer managed multi-Region KMS key. Create an S3 bucket in each Region. Configure replication between the S3 buckets. Configure the application to use the KMS key with client-side encryption.
• C. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.
• D. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with AWS KMS keys (SSE- KMS). Configure replication between the S3 buckets.

Correct answer: B

Explanation

Option B is correct because AWS KMS multi-Region keys let you replicate the same key identity and key material across multiple AWS Regions, allowing the application to encrypt and decrypt data in different regions using the same key. Options A and C are incorrect because they use S3-managed keys (SSE-S3) rather than the required customer managed KMS key. Option D is incorrect because creating distinct single-Region customer managed KMS keys in each Region would result in different key materials, preventing them from being used as the same key to decrypt replicated data natively.