Which combination of steps should the security engineer take to remediate this issue?

A security engineer configures Amazon S3 Cross-Region Replication (CRR) for all objects that are in an S3 bucket in the us-east-1. Region Some objects in this S3 bucket use server-side encryption with AWS KMS keys (SSE-KMS) for encryption at test. The security engineer creates a destination S3 bucket in the us-west-2 Region. The destination S3 bucket is in the same AWS account as the source S3 bucket.

The security engineer also creates a customer managed key in us-west-2 to encrypt objects at rest in the destination S3 bucket. The replication configuration is set to use the key in us-west-2 to encrypt objects in the destination S3 bucket. The security engineer has provided the S3 replication configuration with an IAM role to perform the replication in Amazon S3.

After a day, the security engineer notices that no encrypted objects from the source S3 bucket are replicated to the destination S3 bucket. However, all the unencrypted objects are replicated.

Which combination of steps should the security engineer take to remediate this issue? (Select THREE.)
A . Change the replication configuration to use the key in us-east-1 to encrypt the objects that are in the destination S3 bucket.
B . Grant the IAM role the kms. Encrypt permission for the key in us-east-1 that encrypts source objects.
C . Grant the IAM role the s3 GetObjectVersionForReplication permission for objects that are in the source S3 bucket.
D . Grant the IAM role the kms. Decrypt permission for the key in us-east-1 that encrypts source objects.
E . Change the key policy of the key in us-east-1 to grant the kms. Decrypt permission to the security engineer’s IAM account.
F . Grant the IAM role the kms Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket.

View Answer

Answer: C D F

Explanation:

To remediate the issue of encrypted objects not being replicated, the security engineer needs to ensure that the IAM role used for replication has the necessary permissions to decrypt objects in the source bucket and encrypt objects in the destination bucket. The steps the security engineer should take are:

Grant the IAM role the kms:Decrypt permission for the key in us-east-1 that encrypts source objects (option D): This permission is necessary because the IAM role needs to be able to decrypt the objects in the source bucket (us-east-1) before they can be replicated.

Grant the IAM role the kms:Encrypt permission for the key in us-west-2 that encrypts objects in the destination S3 bucket (option F): After decrypting the objects from the source bucket, the IAM role will need to encrypt the objects again before storing them in the destination bucket (us-west-2). Therefore, it needs the kms:Encrypt permission for the key in the destination region.

Grant the IAM role the s3:GetObjectVersionForReplication permission for objects in the source S3 bucket (option C): This permission is necessary to allow the IAM role to retrieve the object versions from the source bucket for replication.

Hence, the correct combination of steps to take would be options C, D, and F.