A company migrated millions of archival files to Amazon S3. The solutions architect must encrypt all archival data using a customer-provided key, and the solution must encrypt both existing unencrypted objects and future objects. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a list of unencrypted objects by filtering an Amazon S3 Inventory report. Configure an S3 Batch Operations job to encrypt the objects from the list with a server-side encryption with a customer-provided key (SSE-C). Configure the S3 default encryption feature to use a server-side encryption with a customer-provided key (SSE-C)..
Why this is the answer
The correct solution addresses both existing and future objects with SSE-C. An S3 Inventory report can identify unencrypted objects, and S3 Batch Operations can then re-encrypt these existing objects using SSE-C. For future objects, configuring S3 default encryption with SSE-C ensures all new uploads are automatically encrypted with the customer-provided key. The other options are incorrect because: Using S3 Storage Lens and SSE-KMS does not meet the requirement for a customer-provided key (SSE-C) and doesn't explicitly address existing unencrypted objects with a batch process. Using an AWS usage report and AWS Batch job with SSE-KMS also fails to meet the SSE-C requirement. AWS usage reports are not designed for detailed object-level inventory. Filtering an AWS usage report and only setting default encryption with SSE-C addresses future objects but not existing unencrypted objects.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed