🔥 3-day streak
AWS Certified Security - Specialty108 / 157
Question 108 of 157
A company has an S3 bucket containing 40 TB of existing objects, most of which are currently unencrypted or encrypted with SSE-S3. A new data classification policy requires that all objects—both new and existing—be encrypted with a specific customer managed AWS KMS key. Enabling default bucket encryption with the KMS key has already ensured that newly uploaded objects are encrypted correctly, but the security team confirms the existing objects remain unchanged. Which approach re-encrypts the existing objects with the required KMS key with the least operational effort?
Reviewed for accuracy · Report an issueNext question