🔥 3-day streak
AWS Certified Security - Specialty132 / 184
Question 132 of 184

A company has an S3 bucket containing several million objects that were uploaded over the past three years without server-side encryption. A new compliance requirement mandates that all existing objects must be encrypted at rest with a customer managed AWS KMS key (SSE-KMS). Enabling default encryption on the bucket has only affected new uploads. The security engineer must encrypt the existing objects with the least operational effort while retaining object metadata and versioning history. Which approach should the engineer use?

Reviewed for accuracy · Report an issueNext question