A company migrated millions of archival files to Amazon S3. A solutions architect needs t…

Question

A company migrated millions of archival files to Amazon S3. A solutions architect needs to implement a solution that will encrypt all the archival data by using a customer-provided key. The solution must encrypt existing unencrypted objects and future objects. Which solution will meet these requirements?

Accepted Answer

Correct answer: A. A. Create a list of unencrypted objects by filtering an Amazon S3 Inventory report. Configure an S3 Batch Operations job to encrypt the objects from the list with a server-side encryption with a customer-provided key (SSE-C). Configure the S3 default encryption feature to use a server-side encryption with a customer-provided key (SSE-C). — To encrypt millions of existing objects at scale using a customer-provided key, an Amazon S3 Inventory report is used to identify the unencrypted objects, which are then processed in bulk using an S3 Batch Operations job with server-side encryption with a customer-provided key (SSE-C). Enabling S3 default encryption with SSE-C on the bucket ensures that all future objects are automatically encrypted upon upload. Other options are incorrect because they either attempt to use AWS KMS keys (SSE-KMS) instead of SSE-C, or they fail to provide a mechanism to encrypt the existing legacy objects.

AWS Certified Solutions Architect – Associate (SAA-C03) — Question 699

Answer options

Correct answer: A

Explanation