AWS Certified Solutions Architect – Associate (SAA-C03) — Question 955

A company runs an environment where data is stored in an Amazon S3 bucket. The objects are accessed frequently throughout the day. The company has strict da ta encryption requirements for data that is stored in the S3 bucket. The company currently uses AWS Key Management Service (AWS KMS) for encryption.

The company wants to optimize costs associated with encrypting S3 objects without making additional calls to AWS KMS.

Which solution will meet these requirements?

Answer options

• A. Use server-side encryption with Amazon S3 managed keys (SSE-S3).
• B. Use an S3 Bucket Key for server-side encryption with AWS KMS keys (SSE-KMS) on the new objects.
• C. Use client-side encryption with AWS KMS customer managed keys.
• D. Use server-side encryption with customer-provided keys (SSE-C) stored in AWS KMS.

Correct answer: B

Explanation

Using an S3 Bucket Key for SSE-KMS reduces encryption costs by caching a bucket-level key, which significantly decreases the volume of API calls made from Amazon S3 to AWS KMS. This directly lowers KMS request charges while maintaining the requirement to use AWS KMS for encryption. Other options either do not use AWS KMS (SSE-S3) or fail to reduce the number of KMS API calls.