A company runs a serverless website with millions of objects in an Amazon S3 bucket that is the origin for an Amazon CloudFront distribution. The bucket had no encryption set before the objects were uploaded. A solutions architect must enable encryption for all existing objects and for all future objects with the LEAST amount of effort. Which solution meets the requirement?
Choose an answer
Tap an option to check your answer.
Correct answer: Enable default encryption on the existing S3 bucket. Use S3 Inventory to generate a .csv of unencrypted objects and run an S3 Batch Operations job that uses the copy command to encrypt those objects..
Why this is the answer
Enabling default encryption on the existing S3 bucket ensures all future objects are encrypted. For existing unencrypted objects, S3 Batch Operations with the CopyObject API call is the most efficient method. Copying an object to itself, even within the same bucket, triggers the default encryption settings. S3 Inventory helps identify all unencrypted objects to include in the Batch Operations job. Creating a new bucket and re-uploading (Option A) is more effort and incurs additional data transfer costs. Changing to SSE-KMS and enabling versioning (Option C) does not encrypt existing objects; versioning is unrelated to encrypting existing objects. Manually modifying each object (Option D) is impractical for millions of objects.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed