A company wants to move its application to a serverless solution. The serverless solution needs to analyze existing and new data by using SL. The company stores the data in an Amazon S3 bucket. The data requires encryption and must be replicated to a different AWS Region.
Which solution will meet these requirements with the LEAST operational overhead?
The best solution to meet the requirements with the least operational overhead is to use the existing S3 bucket and query the data using Amazon Athena. This involves loading data into the existing S3 bucket, using S3 Cross-Region Replication (CRR) to replicate encrypted objects to an S3 bucket in another region, and employing server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Athena is serverless, making it suitable for querying data stored in S3 without additional operational overhead, unlike Amazon RDS, which requires management of database servers.
SSE-KMS vs SSE-S3 - The last seems to have less overhead (as the keys are automatically generated by S3 and applied on data at upload, and don't require further actions. KMS provides more flexibility, but in turn involves a different service, which finally is more "complex" than just managing one (S3). So A and B are excluded. If you are in doubt, you are having 2 buckets in A and B, while just keeping one in C and D. https://s3browser.com/server-side-encryption-types.aspx Decide between C and D is deciding on Athena or RDS. RDS is a relational db, and we have documents on S3, which is the use case for Athena. Athena is also serverless, which eliminates the need of controlling the underlying infrastructure and capacity. So C is the answer. https://aws.amazon.com/athena/
See comment from Nicknameinvalid below. You get your answer.
It'a since replication works for new objects but not for the existing ones, untless you use batch replication which is not the case.
Answer A has you move the data before you enable replication, therefore there is no difference between A and C when it comes to the point in time you enable replication. I agree A would be a better choice if the order of operations said, create a bucket->Enable encryption->move files...but it doesn't. It has you create the bucket and move the files.
Answer is A: Amazon S3 Bucket Keys reduce the cost of Amazon S3 server-side encryption using AWS Key Management Service (SSE-KMS). This new bucket-level key for SSE can reduce AWS KMS request costs by up to 99 percent by decreasing the request traffic from Amazon S3 to AWS KMS. With a few clicks in the AWS Management Console, and without any changes to your client applications, you can configure your bucket to use an S3 Bucket Key for AWS KMS-based encryption on new objects. The Existing S3 bucket might have uncrypted data - encryption will apply new data received after the applying of encryption on the new bucket.
Reducing cost was never the target, it's LEAST operational. In that regard SSE-S3 AWS fully managed.
Cost reduction is in comparison bet Bucket level KMS key and object level KMS key. Not between SSE-KMS and SSE-S3. Hence its a wrong comparison
Don't know what "kays" are, could they be a trap?
Kays = keys, mistype i think.
But in server side encryption Multi Region Keys is not possible which leaves to Option C
"you manage the multi-Region key in each Region independently. Neither AWS nor AWS KMS ever automatically creates or replicates multi-Region keys into any Region on your behalf. AWS managed keys, the KMS keys that AWS services create in your account for you, are always single-Region keys." https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
from your link you missed this part: you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS
Data in S3 is queried with Athena, not RDS, thus B and D are out. A requires a new bucket and loading data into that - Why, since data is already in S3? It says to enable CRR only after loading the data, so existing data won't be replicated anyway. C uses existing data (less operational overhead compared to loading data into a new bucket) and SSE-E3 (less operational overhead than SSE-KMS).
Most clear explanation. Thanks!
from @pentium75 Data in S3 is queried with Athena, not RDS, thus B and D are out. A requires a new bucket and loading data into that - Why, since data is already in S3? It says to enable CRR only after loading the data, so existing data won't be replicated anyway. C uses existing data (less operational overhead compared to loading data into a new bucket) and SSE-E3 (less operational overhead than SSE-KMS).
The answer is A because SSE-S3 does not support cross-region replication of encrypted data. If you perform cross-region replication, you will have to re-encrypt the data.
I selected A because SSE-S3 keys are not multi-regional keys. You must use SSE-KMS for the multi-regional keys and then for serverless its Aurora.
It says "data requires encryption", not that it must use same key in both regions.
The most suitable solution with the least operational overhead for the company's requirements is: Option A: Create a new S3 bucket. Load the data into the new S3 bucket. Use S3 Cross-Region Replication (CRR) to replicate encrypted objects to an S3 bucket in another Region. Use server-side encryption with AWS KMS multi-Region keys (SSE-KMS). Use Amazon Athena to query the data. This option aligns with the specified requirements of encrypting the data, replicating it to a different AWS Region, and utilizing serverless querying with Amazon Athena. It also minimizes operational overhead by leveraging AWS managed services.
C. is correct after January 2023 because "Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance. "
C for sure
Since S3 has provides the automatic encryption for the storage objects, create another bucket is redundant, C has the least operational overhead.
What do mean by 'load the data into the existing bucket' ! the data is already staying in the existing bucket !
Option B suggests using Amazon RDS to query the data, which introduces additional complexity compared to using Amazon Athena. Option C suggests using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) instead of AWS KMS multi-Region keys, which might not meet the encryption requirements. Option D also suggests using Amazon RDS to query the data, which, as mentioned earlier, is not the best choice for a serverless solution and would result in higher operational overhead.
awai it is correct
As per Amazon Q: The easiest way to encrypt existing objects in S3 is to use server-side encryption with S3-managed keys (SSE-S3). Here are the basic steps: 1. Enable SSE-S3 on the target S3 bucket if it is not already enabled. This will ensure all new or copied objects are encrypted automatically. 2. Create an S3 inventory report for the source bucket containing the objects. This will generate a CSV file with metadata of all objects. 3. Use S3 Select or AWS Athena to query the inventory report and filter for only unencrypted objects. 4. Create an S3 Batch Operations job to copy the filtered unencrypted objects to the target bucket. The copy operation will automatically encrypt the objects using the bucket's SSE-S3 configuration.
5. Monitor the job completion to ensure all objects were encrypted. You can optionally delete the original unencrypted versions after verifying successful encryption. This approach minimizes disruption and performs the encryption without having to rewrite existing data or code. Also Refer: https://docs.aws.amazon.com/AmazonS3/latest/userguide/batch-ops-copy-example-bucket-key.html
A is correct - SSE-KMS is multi region keys and Athena is serverless for analyze C is incorrect - SSE-S3 is region specific for encryption
SSE-S3 is the easiest to use and offers strong encryption, while SSE-C provides more control over your encryption keys (and much more admin overhead)
Therefore, the most appropriate solution to meet the requirements of the serverless application is to load the data into the existing S3 bucket. Use S3 Cross-Region Replication (CRR) to replicate encrypted objects to an S3 bucket in another Region. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Use Amazon Athena to query the data. This solution effectively leverages the existing S3 bucket, S3 Cross-Region Replication for data replication, SSE-S3 for encryption, and Amazon Athena for efficient data querying, enabling the company to analyze existing and new data with minimal management effort and a serverless architecture.