AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is building an application in the AWS Cloud. The application will store data in Amazon S3 buckets in two AWS Regions. The company must use an AWS Key Management Service (AWS KMS) customer managed key to encrypt all data that is stored in the S3 buckets. The data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions. Which solution will meet these requirements with the LEAST operational overhead?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.

Create a customer managed multi-Region KMS key. Create an S3 bucket in each Region. Configure replication between the S3 buckets. Configure the application to use the KMS key with client-side encryption.

Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.

Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with AWS KMS keys (SSE-KMS). Configure replication between the S3 buckets.

Explanation:

Explanation

Correct Answer: B

Why Option B is correct:

Multi-Region KMS Key: AWS KMS multi-Region keys allow you to have the same key material replicated across multiple AWS Regions. This means you can encrypt and decrypt data with the same key in different regions.
Same KMS Key Requirement: The requirement states that data in both S3 buckets must be encrypted and decrypted with the same KMS key. Multi-Region KMS keys provide exactly this capability.
Key Storage in Each Region: With multi-Region keys, the key material is stored in each region where the key is created, meeting the requirement that "the data and the key must be stored in each of the two Regions."
Least Operational Overhead: Multi-Region keys automatically handle key synchronization across regions, reducing operational overhead compared to managing separate keys in each region.
Client-Side Encryption: While client-side encryption adds some complexity, it's necessary because S3 replication doesn't automatically re-encrypt data with a different KMS key when replicating across regions.

Why other options are incorrect:

Option A: Uses SSE-S3 (Amazon S3 managed keys), not customer managed KMS keys as required.
Option C: Creates separate KMS keys in each region (not the same key), and uses SSE-S3 instead of KMS encryption.
Option D: Creates separate KMS keys in each region (not the same key). While it uses SSE-KMS, each region would have its own independent key, not the same key material.

Key AWS Concepts:

Multi-Region KMS Keys: Allow you to replicate key material across AWS regions
SSE-KMS: Server-side encryption with AWS KMS managed keys
SSE-S3: Server-side encryption with Amazon S3 managed keys
Client-Side Encryption: Application encrypts data before sending to S3
S3 Cross-Region Replication: Copies objects between buckets in different regions

The solution meets all requirements: same KMS key material in both regions, customer managed key, data and key stored in each region, with minimal operational overhead using AWS's multi-Region KMS feature.

Powered ByGPT-5.2

Comments

Loading comments...