AWS Certified Solutions Architect – Professional (SAP-C02) — Question 205

A company is migrating an application to AWS. It wants to use fully managed services as much as possible during the migration. The company needs to store large important documents within the application with the following requirements:

1. The data must be highly durable and available
2. The data must always be encrypted at rest and in transit
3. The encryption key must be managed by the company and rotated periodically

Which of the following solutions should the solutions architect recommend?

Answer options

• A. Deploy the storage gateway to AWS in file gateway mode. Use Amazon EBS volume encryption using an AWS KMS key to encrypt the storage gateway volumes.
• B. Use Amazon S3 with a bucket policy to enforce HTTPS for connections to the bucket and to enforce server-side encryption and AWS KMS for object encryption.
• C. Use Amazon DynamoDB with SSL to connect to DynamoDB. Use an AWS KMS key to encrypt DynamoDB objects at rest.
• D. Deploy instances with Amazon EBS volumes attached to store this data. Use EBS volume encryption using an AWS KMS key to encrypt the data.

Correct answer: B

Explanation

The correct answer is B because Amazon S3 can provide high durability and availability, supports encryption in transit and at rest, and allows the customer to manage their own encryption keys through AWS KMS. Option A is incorrect as it does not provide the necessary encryption controls and is not fully managed in the way required. Option C does not meet the requirement for data encryption in transit and at rest in the same way as S3. Option D lacks fully managed services and does not offer the same level of durability and availability as S3.