Which solution will meet these requirements with the LEAST amount of effort?
Create a new S3 bucket. Turn on the default encryption settings for the new S3 bucket. Download all existing objects to temporary local storage. Upload the objects to the new S3 bucket.
Turn on the default encryption settings for the S3 bucket. Use the S3 Inventory feature to create a .csv file that lists the unencrypted objects. Run an S3 Batch Operations job that uses the copy command to encrypt those objects.
Create a new encryption key by using AWS Key Management Service (AWS KMS). Change the settings on the S3 bucket to use server-side encryption with AWS KMS managed encryption keys (SSE-KMS). Turn on versioning for the S3 bucket.
Navigate to Amazon S3 in the AWS Management Console. Browse the S3 bucket’s objects. Sort by the encryption field. Select each unencrypted object. Use the Modify button to apply default encryption settings to every unencrypted object in the S3 bucket.
Explanations:
This option requires significant manual effort to download and re-upload millions of objects, making it inefficient and time-consuming.
This option effectively enables encryption for existing unencrypted objects with minimal effort by using S3 Inventory to identify them and S3 Batch Operations to automate the encryption process.
While this option enables KMS encryption, it does not handle existing unencrypted objects, only applying to future uploads. It lacks a solution for retrofitting existing data.
This option is impractical for millions of objects as it involves manually selecting each unencrypted object and applying changes, which is inefficient and not scalable.
I strategize that the answer is:
Turn on the default encryption settings for the S3 bucket. Use the S3 Inventory feature to create a .csv file that lists the unencrypted objects. Run an S3 Batch Operations job that uses the copy command to encrypt those objects.