🔥 3-day streak
AWS Certified Security - Specialty135 / 184
Question 135 of 184

A financial services company stores millions of small objects (each under 100 KB) in a single S3 bucket. Compliance requires that all objects be encrypted at rest with a customer-managed KMS key so that key usage can be audited and access can be revoked independently of S3. After enabling SSE-KMS with a customer-managed key as the bucket default, the security team notices AWS KMS request charges have risen dramatically because every GET and PUT triggers a KMS API call. The team must reduce KMS request costs while still meeting the requirement to use the customer-managed key for auditable, revocable encryption. What should they do?

Reviewed for accuracy · Report an issueNext question