AWS Certified Solutions Architect – Professional (SAP-C02) — Question 445

A company stores and manages documents in an Amazon Elastic File System (Amazon EFS) file system. The file system is encrypted with an AWS Key Management Service (AWS KMS) key. The file system is mounted to an Amazon EC2 instance that runs proprietary software.

The company has enabled automatic backups for the file system. The automatic backups use the AWS Backup default backup plan.

A solutions architect must ensure that deleted documents can be recovered within an RPO of 100 minutes.

Which solution will meet these requirements?

Answer options

• A. Create a new IAM role. Create a new backup plan. Use the new IAM role to create backups. Update the KMS key policy to allow the new IAM role to use the key. Implement an hourly backup schedule for the file system.
• B. Create a new backup plan. Update the KMS key policy to allow the AWSServiceRoleForBackup IAM role to use the key. Implement a custom cron expression to run a backup of the file system every 30 minutes.
• C. Create a new IAM role. Use the existing backup plan. Update the KMS key policy to allow the new IAM role to use the key. Enable continuous backups for point-in-time recovery.
• D. Use the existing backup plan. Update the KMS key policy to allow the AWSServiceRoleForBackup IAM role to use the key. Enable Cross-Region Replication for the file system.

Correct answer: A

Explanation

To achieve a Recovery Point Objective (RPO) of 100 minutes, backups must be scheduled to run at least every 100 minutes, making an hourly (60-minute) schedule the most appropriate fit. Because the Amazon EFS file system is encrypted with a custom AWS KMS key, the IAM role performing the backup needs explicit permissions in the KMS key policy to access the key. Creating a new backup plan with a new IAM role and updating the KMS key policy ensures AWS Backup has the necessary permissions to successfully execute the frequent backups.