Which solution will meet these requirements with the LEAST operational overhead?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A company has millions of objects in an Amazon S3 bucket.The objects are in the S3 Standard storage class.All the S3 objects are accessed frequently.The number of users and applications that access the objects is increasing rapidly.The objects are encrypted with server-side encryption with AWS KMS keys (SSE-KMS).A solutions architect reviews the company’s monthly AWS invoice and notices that AWS KMS costs are increasing because of the high number of requests from Amazon S3.The solutions architect needs to optimize costs with minimal changes to the application.

Which solution will meet these requirements with the LEAST operational overhead?

Create a new S3 bucket that has server-side encryption with customer-provided keys (SSE-C) as the encryption type. Copy the existing objects to the new S3 bucket. Specify SSE-C.

Create a new S3 bucket that has server-side encryption with Amazon S3 managed keys (SSE-S3) as the encryption type. Use S3 Batch Operations to copy the existing objects to the new S3 bucket. Specify SSE-S3.

Use AWS CloudHSM to store the encryption keys. Create a new S3 bucket. Use S3 Batch Operations to copy the existing objects to the new S3 bucket. Encrypt the objects by using the keys from CloudHSM.

Use the S3 Intelligent-Tiering storage class for the S3 bucket. Create an S3 Intelligent-Tiering archive configuration to transition objects that are not accessed for 90 days to S3 Glacier Deep Archive.

Explanations:

Using customer-provided keys (SSE-C) requires managing the encryption keys manually, which adds operational overhead. Additionally, it does not reduce the number of KMS requests, as each S3 object retrieval will still require decryption, increasing costs.

Switching to server-side encryption with Amazon S3 managed keys (SSE-S3) reduces AWS KMS costs since S3 manages the encryption keys automatically. This option minimizes operational overhead by using S3 Batch Operations to copy the objects to a new bucket without needing to manage keys manually.

Using AWS CloudHSM for key management requires significant operational overhead in managing the HSM and its keys. This solution does not directly address the high KMS costs associated with frequent S3 access. Additionally, it would require copying objects to a new bucket, similar to option B, but with added complexity.

Although S3 Intelligent-Tiering can optimize storage costs by automatically moving objects between access tiers, it does not address the increase in AWS KMS costs directly related to the high number of requests. Furthermore, transitioning objects to S3 Glacier Deep Archive involves additional operational considerations and does not help with immediate KMS cost reduction.

Leave a Reply

Your email address will not be published. Required fields are marked *

two × two =