Which solution meets these requirements?

By:
In: DOP-C01
Tagged:
With: 1 Comment
A company is building a solution for storing files containing Personally Identifiable Information (PII) on AWS.Requirements state:✑ All data must be encrypted at rest and in transit.✑ All data must be replicated in at least two locations that are at least 500 miles (805 kilometers) apart.

Which solution meets these requirements?

Create primary and secondary Amazon S3 buckets in two separate Availability Zones that are at least 500 miles (805 kilometers) apart. Use a bucket policy to enforce access to the buckets only through HTTPS. Use a bucket policy to enforce Amazon S3 SSE-C on all objects uploaded to the bucket. Configure cross- region replication between the two buckets.

Create primary and secondary Amazon S3 buckets in two separate AWS Regions that are at least 500 miles (805 kilometers) apart. Use a bucket policy to enforce access to the buckets only through HTTPS. Use a bucket policy to enforce S3-Managed Keys (SSE-S3) on all objects uploaded to the bucket. Configure cross-region replication between the two buckets.

Create primary and secondary Amazon S3 buckets in two separate AWS Regions that are at least 500 miles (805 kilometers) apart. Use an IAM role to enforce access to the buckets only through HTTPS. Use a bucket policy to enforce Amazon S3-Managed Keys (SSE-S3) on all objects uploaded to the bucket. Configure cross-region replication between the two buckets.

Create primary and secondary Amazon S3 buckets in two separate Availability Zones that are at least 500 miles (805 kilometers) apart. Use a bucket policy to enforce access to the buckets only through HTTPS. Use a bucket policy to enforce AWS KMS encryption on all objects uploaded to the bucket. Configure cross-region replication between the two buckets. Create a KMS Customer Master Key (CMK) in the primary region for encrypting objects.

Explanations:

The solution suggests using two Availability Zones, but the requirements specify that the locations must be at least 500 miles apart. Availability Zones within a region are typically located within a smaller geographical distance, which would not meet the 500-mile requirement.

This solution correctly uses two separate AWS Regions, which are geographically dispersed and meet the 500-mile distance requirement. The use of SSE-S3 for encryption at rest and HTTPS for encryption in transit aligns with the requirements. Cross-region replication ensures data redundancy across separate regions.

The use of an IAM role to enforce HTTPS access is unnecessary because this can be achieved directly via bucket policies. Additionally, the option does not provide a specific enforcement of encryption at rest, such as SSE-S3 being strictly required.

While the solution uses cross-region replication and includes KMS for encryption, it places the primary and secondary buckets in separate Availability Zones, not Regions. Availability Zones are not guaranteed to be 500 miles apart, failing to meet the geographical distance requirement.

2025-09-30

1 Comment

  1. Julia
    Author

    I weigh that the answer is:
    Create primary and secondary Amazon S3 buckets in two separate AWS Regions that are at least 500 miles (805 kilometers) apart. Use a bucket policy to enforce access to the buckets only through HTTPS. Use a bucket policy to enforce S3-Managed Keys (SSE-S3) on all objects uploaded to the bucket. Configure cross-region replication between the two buckets.

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen + 8 =