Which solution will meet these requirements with the LEAST amount of operational effort?

By:
In: SAA-C03
Tagged:
With: 1 Comment
A medical company wants to perform transformations on a large amount of clinical trial data that comes from several customers.The company must extract the data from a relational database that contains the customer data.Then the company will transform the data by using a series of complex rules.The company will load the data to Amazon S3 when the transformations are complete.All data must be encrypted where it is processed before the company stores the data in Amazon S3.All data must be encrypted by using customer-specific keys.

Which solution will meet these requirements with the LEAST amount of operational effort?

Create one AWS Glue job for each customer. Attach a security configuration to each job that uses server-side encryption with Amazon S3 managed keys (SSE-S3) to encrypt the data.

Create one Amazon EMR cluster for each customer. Attach a security configuration to each cluster that uses client-side encryption with a custom client-side root key (CSE-Custom) to encrypt the data.

Create one AWS Glue job for each customer. Attach a security configuration to each job that uses client-side encryption with AWS KMS managed keys (CSE-KMS) to encrypt the data.

Create one Amazon EMR cluster for each customer. Attach a security configuration to each cluster that uses server-side encryption with AWS KMS keys (SSE-KMS) to encrypt the data.

Explanations:

AWS Glue jobs can use server-side encryption with Amazon S3 managed keys (SSE-S3), but this does not allow for customer-specific keys, which are required for the encryption. SSE-S3 uses Amazon S3-managed keys, making it unsuitable for meeting the specific encryption requirements.

While Amazon EMR can use client-side encryption with a custom client-side root key (CSE-Custom), managing custom client-side keys can lead to increased operational complexity. Additionally, it does not guarantee that data is encrypted before processing, as it requires more manual handling of keys and encryption processes.

AWS Glue jobs can be configured with client-side encryption using AWS KMS managed keys (CSE-KMS), allowing the use of customer-specific keys. This solution minimizes operational effort because AWS Glue automates many tasks, including job scheduling and resource management, while ensuring that data is encrypted during the transformation process.

Amazon EMR can use server-side encryption with AWS KMS keys (SSE-KMS), but like SSE-S3, this encryption occurs after the data is processed. It does not meet the requirement of encrypting the data before it is processed, making it an unsuitable choice for this scenario.

2025-10-24

1 Comment

  1. Arthur
    Author

    I rate that the answer is:
    Create one AWS Glue job for each customer. Attach a security configuration to each job that uses client-side encryption with AWS KMS managed keys (CSE-KMS) to encrypt the data.

Leave a Reply

Your email address will not be published. Required fields are marked *

8 − three =