SAA-C03 · Question #462
SAA-C03 Question #462: Real Exam Question with Answer & Explanation
The correct answer is D: Use S3 Bucket Keys to perform server-side encryption with AWS KMS keys (SSE-KMS) to. Amazon S3 Bucket Keys reduce the cost of AWS KMS API requests by generating a data key at the bucket level instead of individually calling KMS for every object read or written. This approach is particularly effective when workloads, such as ML pipelines, involve reading large num
Question
A company needs a data encryption solution for a machine learning (ML) process. The solution must use an AWS managed service. The ML process currently reads a large number of objects in Amazon S3 that are encrypted by a customer managed AWS KMS key. The current process incurs significant costs because of excessive calls to AWS Key Management Service (AWS KMS) to decrypt S3 objects. The company wants to reduce the costs of API calls to decrypt S3 objects. Which solution will meet this requirement?
Options
- ASwitch from a customer managed KMS key to an AWS managed KMS key.
- BRemove the AWS KMS encryption from the S3 bucket. Use a bucket policy to encrypt the data
- CRecreate the KMS key in AWS CloudHSM.
- DUse S3 Bucket Keys to perform server-side encryption with AWS KMS keys (SSE-KMS) to
Explanation
Amazon S3 Bucket Keys reduce the cost of AWS KMS API requests by generating a data key at the bucket level instead of individually calling KMS for every object read or written. This approach is particularly effective when workloads, such as ML pipelines, involve reading large numbers of encrypted objects. Switching to AWS managed keys (A) does not reduce the frequency of API calls. Removing encryption (B) would violate compliance/security requirements. Using CloudHSM (C) adds cost and operational burden. Therefore, the correct solution is D - enabling S3 Bucket Keys with SSE-KMS, which significantly reduces decryption costs while maintaining secure
Community Discussion
No community discussion yet for this question.