Crucial Exams

AWS Certified Solutions Architect Professional SAP-C02 Practice Question

Your organization ingests 500 TB of telemetry data every day into an Amazon S3 bucket. The ingestion micro-services already send PutObject requests with the header x-amz-server-side-encryption: aws:kms, which uses the bucket's default AWS-managed key.

A new compliance mandate states that:

  • The encryption key material must reside in a single-tenant FIPS 140-2 Level 3 hardware security module (HSM) that the company fully controls within the same AWS Region.
  • Application code and existing API calls must not be modified.

Which approach meets the new requirement for encryption at rest with the least disruption?

  • Create an AWS CloudHSM cluster and a KMS custom key store backed by that cluster, generate a symmetric customer-managed key in the store, and configure the S3 bucket to use this key for SSE-KMS.

  • Enable bucket-level default encryption with SSE-S3 (AES-256) and enforce its use through a bucket policy.

  • Encrypt objects client-side with the AWS Encryption SDK and upload them to S3 without any server-side encryption header.

  • Switch to server-side encryption with customer-provided keys (SSE-C) by including the x-amz-server-side-encryption-customer-key header in each PutObject call.

AWS Certified Solutions Architect Professional SAP-C02
Design for New Solutions
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot