SAP-C02 第 91 题
题目
A company consists or two separate business units. Each business unit has its own AWS account within a single organization in AWS Organizations. The business units regularly share sensitive documents with each other. To facilitate sharing, the company created an Amazon S3 bucket in each account and configured low-way replication between the S3 buckets. The S3 buckets have millions of objects. Recently, a security audit identified that neither S3 bucket has encryption at rest enabled. Company policy requires that all documents must be stored with encryption at rest. The company wants to implement server-side encryption with Amazon S3 managed encryption keys (SSE-S3). What is the MOST operationally efficient solution that meets these requirements?
中文翻译:
公司由一个或两个独立的业务部门组成。每个业务部门在 AWS Organizations 的单个组织内都有自己的 AWS 账户。业务部门定期相互共享敏感文档。为了便于共享,该公司在每个账户中创建了一个 Amazon S3 存储桶,并在 S3 存储桶之间配置了低路复制。 S3 存储桶拥有数百万个对象。最近,安全审计发现两个 S3 存储桶均未启用静态加密。公司政策要求所有文档必须以静态加密方式存储。该公司希望使用 Amazon S3 托管加密密钥 (SSE-S3) 实施服务器端加密。满足这些要求的最高效的运营解决方案是什么?
选项
A. Turn on SSE-S3 on both S3 buckets. Use S3 Batch Operations to copy and encrypt the objects in the same location.
中文翻译:
在两个 S3 存储桶上打开 SSE-S3。使用 S3 批量操作在同一位置复制和加密对象。
B. Create an AWS Key Management Service (AWS KMS) key in each account. Turn on server-side encryption with AWS KMS keys (SSE-KMS) on each S3 bucket by using the corresponding KMS key in that AWS account. Encrypt the existing objects by using an S3 copy command in the AWS CLI.
中文翻译:
在每个账户中创建 AWS Key Management Service (AWS KMS) 密钥。使用该 AWS 账户中相应的 KMS 密钥,在每个 S3 存储桶上使用 AWS KMS 密钥 (SSE-KMS) 打开服务器端加密。使用 AWS CLI 中的 S3 复制命令加密现有对象。
C. Turn on SSE-S3 on both S3 buckets. Encrypt the existing objects by using an S3 copy command in the AWS CLI.
中文翻译:
在两个 S3 存储桶上打开 SSE-S3。使用 AWS CLI 中的 S3 复制命令加密现有对象。
D. Create an AWS Key Management Service, (AWS KMS) key in each account. Turn on server-side encryption with AWS KMS keys (SSE-KMS) on each S3 bucket by using the corresponding KMS key in that AWS account. Use S3 Batch Operations to copy the objects into the same location.
中文翻译:
在每个账户中创建 AWS Key Management Service (AWS KMS) 密钥。使用该 AWS 账户中相应的 KMS 密钥,在每个 S3 存储桶上使用 AWS KMS 密钥 (SSE-KMS) 打开服务器端加密。使用 S3 批量操作将对象复制到同一位置。
答案
A
解析
正确答案:A 解析: 本题应选择 A。 正确选项: A. 在两个 S3 存储桶上打开 SSE-S3。使用 S3 批量操作在同一位置复制和加密对象。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高性能、最低运维开销、成本效益、可靠性、可扩展性、安全性、RTO/RPO、合规要求等。本题相关考点主要包括:S3、Organizations、Config、KMS。 排除思路: B、...