A company stores frequently accessed objects in an Amazon S3 bucket and enforces strict encryption requirements. The company uses AWS Key Management Service (AWS KMS) for encryption but wants to reduce costs associated with S3 object encryption without making additional AWS KMS calls. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Use an S3 Bucket Key for server-side encryption with AWS KMS keys (SSE-KMS) on the new objects..
Why this is the answer
The correct answer is to use an S3 Bucket Key for server-side encryption with AWS KMS keys (SSE-KMS) on new objects. S3 Bucket Keys reduce the cost of SSE-KMS by decreasing the number of requests made to AWS KMS. Instead of requesting a new data key for each object, S3 generates a short-lived bucket key from KMS, which can then be used to encrypt multiple objects within that bucket for a limited time. This significantly reduces KMS request costs while maintaining the security benefits of KMS. Using server-side encryption with Amazon S3 managed keys (SSE-S3) would reduce costs but does not use AWS KMS, which is a requirement. Client-side encryption with AWS KMS customer managed keys would likely increase KMS call costs as each encryption operation would require a direct KMS call. Server-side encryption with customer-provided keys (SSE-C) does not involve AWS KMS for key management, and the keys are provided by the customer, not stored in KMS.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed