Answer-first summary for fast verification
Answer: Turn on the default encryption settings for the S3 bucket. Use the S3 Inventory feature to create a .csv file that lists the unencrypted objects. Run an S3 Batch Operations job that uses the copy command to encrypt those objects.
## Explanation **Option B is the correct answer** because it provides the most efficient and automated approach to encrypting millions of existing objects while ensuring future objects are encrypted. ### Why Option B is correct: 1. **Default encryption settings**: Turning on default encryption ensures all new objects added to the bucket will be automatically encrypted. 2. **S3 Inventory**: This feature can generate a CSV file listing all unencrypted objects, providing a comprehensive inventory of what needs to be encrypted. 3. **S3 Batch Operations**: This is specifically designed for bulk operations on large numbers of S3 objects. Using the copy command with encryption will efficiently encrypt all existing objects without manual intervention. ### Why other options are incorrect: **Option A**: This approach is inefficient and costly because: - It requires downloading millions of objects to local storage (massive data transfer costs) - It requires re-uploading all objects (additional costs and time) - It requires creating a new bucket and potentially updating CloudFront distribution **Option C**: This only addresses future objects, not existing ones. While turning on SSE-KMS with default encryption will encrypt new objects, it does nothing for the millions of existing unencrypted objects. **Option D**: This is impractical for millions of objects. The AWS Management Console is not designed for bulk operations on millions of objects, and manually selecting each object would be impossible. ### Key AWS Services Used: - **S3 Default Encryption**: Ensures all new objects are encrypted automatically - **S3 Inventory**: Provides detailed inventory reports of S3 objects - **S3 Batch Operations**: Performs large-scale batch operations on S3 objects This solution meets both requirements: encrypting all existing objects (via S3 Batch Operations) and ensuring future objects are encrypted (via default encryption settings), with minimal manual effort.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has a serverless website with millions of objects in an Amazon S3 bucket. The company uses the S3 bucket as the origin for an Amazon CloudFront distribution. The company did not set encryption on the S3 bucket before the objects were loaded. A solutions architect needs to enable encryption for all existing objects and for all objects that are added to the S3 bucket in the future.
Which solution will meet these requirements with the LEAST amount of effort?
A
Create a new S3 bucket. Turn on the default encryption settings for the new S3 bucket. Download all existing objects to temporary local storage. Upload the objects to the new S3 bucket.
B
Turn on the default encryption settings for the S3 bucket. Use the S3 Inventory feature to create a .csv file that lists the unencrypted objects. Run an S3 Batch Operations job that uses the copy command to encrypt those objects.
C
Create a new encryption key by using AWS Key Management Service (AWS KMS). Change the settings on the S3 bucket to use server-side encryption with AWS KMS managed encryption keys (SSE-KMS). Turn on versioning for the S3 bucket.
D
Navigate to Amazon S3 in the AWS Management Console. Browse the S3 bucket's objects. Sort by the encryption field. Select each unencrypted object. Use the Modify button to apply default encryption settings to every unencrypted object in the S3 bucket.