Which combination of steps will meet these requirements with the LEAST operational overhead?
(Choose three.)
Use an existing automated snapshot or manual snapshot, or create a manual snapshot of the DB instance.
Identify the S3 bucket for export. Provide access to the S3 bucket by using an IAM user. Attach an IAM policy with s3:PutObject*, s3:GetObject*, s3:ListBucket, s3:DeleteObject*, and s3:GetBucketLocation permissions to the IAM user. Attach the IAM role to the DB instance.
Create a copy of an existing automated snapshot or manual snapshot of the DB instance.
Create a symmetric AWS Key Management Service (AWS KMS) key for server-side encryption. Export the snapshot to Amazon S3.
Identify the S3 bucket for export. Provide access to the S3 bucket by using an IAM role. Attach an IAM policy with s3:PutObject*, s3:GetQpject*, s3:ListBucket, s3:DeleteObject*, and s3:GetBucketLocation permissions to the IAM role. Attach the IAM role to the DB instance.
Create a symmetric AWS Key Management Service (AWS KMS) key for server-side encryption. Export the snapshot to Amazon S3 Glacier Flexible Retrieval.
Explanations:
A snapshot (either manual or automated) of the DB instance is required as a starting point for the export to S3.
This option uses an IAM user for access, but the correct approach is to use an IAM role that is attached to the DB instance for least privilege.
Creating a copy of an existing snapshot is unnecessary because the snapshot itself can be directly exported.
An AWS KMS key for encryption is needed for secure export to S3, and this is a required step for encryption during export.
The correct method is to use an IAM role with the necessary S3 permissions, not an IAM user. This role is attached to the DB instance for export.
Exporting to Amazon S3 Glacier Flexible Retrieval is not suitable for database exports, as it is designed for archival storage rather than active data access.