Which of the following solutions should the Solutions Architect recommend?

By:
In: SAP-C01
Tagged:
With: 2 Comments
A company is migrating an application to AWS.It wants to use fully managed services as much as possible during the migration.The company needs to store large, important documents within the application with the following requirements:✑ The data must be highly durable and available.✑ The data must always be encrypted at rest and in transit.✑ The encryption key must be managed by the company and rotated periodically.

Which of the following solutions should the Solutions Architect recommend?

Deploy the storage gateway to AWS in file gateway mode. Use Amazon EBS volume encryption using an AWS KMS key to encrypt the storage gateway volumes.

Use Amazon S3 with a bucket policy to enforce HTTPS for connections to the bucket and to enforce server-side encryption and AWS KMS for object encryption.

Use Amazon DynamoDB with SSL to connect to DynamoDB. Use an AWS KMS key to encrypt DynamoDB objects at rest.

Deploy instances with Amazon EBS volumes attached to store this data. Use EBS volume encryption using an AWS KMS key to encrypt the data.

Explanations:

The storage gateway in file gateway mode primarily serves as a bridge between on-premises environments and AWS, but it does not meet the requirement for the company to manage encryption keys. Additionally, EBS volume encryption is more suited for block storage rather than the needs of managing large documents directly.

Amazon S3 provides high durability and availability for stored data, meeting the requirement. It allows for server-side encryption with AWS KMS keys, where the company can manage the encryption keys, and bucket policies can enforce HTTPS and encryption, fulfilling the criteria of encryption at rest and in transit.

Amazon DynamoDB is a highly durable and available NoSQL database, but the requirement specifies storing large documents. While it supports SSL and encryption at rest via AWS KMS, it may not be the best fit for large document storage compared to S3, especially since the primary use case is not for document storage.

While using EBS volumes with encryption via AWS KMS meets the encryption requirements, EBS volumes are not designed for storing large amounts of data in a highly durable and available manner like S3. Additionally, the management of keys and rotation is less flexible compared to S3’s KMS capabilities.

2026-03-21

2 Comments

  1. Deborah
    Author

    I outline that the answer is:
    Use Amazon S3 with a bucket policy to enforce HTTPS for connections to the bucket and to enforce server-side encryption and AWS KMS for object encryption.

  2. Carolyn
    Author

    As I recall, the answer is:
    Use Amazon S3 with a bucket policy to enforce HTTPS for connections to the bucket and to enforce server-side encryption and AWS KMS for object encryption.

Leave a Reply

Your email address will not be published. Required fields are marked *

twelve + three =