Timed Set 3 – Identity and Access Management Q7 – incorrect options for answers

[AJam]

Hi. Below is question.

A security engineer enabled Amazon S3 Cross-Region Replication (CRR) for all objects from a source bucket in ap-southeast-1 to a destination bucket in ap-northeast-2 in the same AWS account. Some of the objects from the source bucket are encrypted at rest using AWS KMS keys (SSE-KMS).

The replication setup utilizes a newly created customer-managed key (CMK) from ap-northeast-2 and an IAM role. It should encrypt all objects in the destination bucket at rest using the newly created key.

Several days later, the engineer discovered that the encrypted objects from the source bucket were not replicated to the destination bucket, while all the unencrypted objects were successfully processed.

Which combination of steps the security engineer must do to resolve the issue? (Select THREE)

– Grant IAM role with

s3:GetObjectVersionForReplication action for objects in the ap-southeast-1 source bucket.
– Configure replication configuration to use the same key with the encrypted objects from the source bucket.
– Grant IAM role with kms:Encrypt action for the AWS KMS key in ap-northeast-1 used to encrypt object replica in the destination bucket.
– Grant IAM role with kms:Encrypt action for the AWS KMS key in ap-southeast-1 used to encrypt the source objects.
– Grant IAM role with s3:GetObjectVersion action for objects in ap-southeast-1 source bucket.
– Grant IAM role with kms:Decrypt action for the AWS KMS key in ap-southeast-1 used to encrypt the source objects.

As per the explanation, one of the correct answers is ” Grant IAM role with kms:Encrypt action for the AWS KMS key in ap-northeast-1 used to encrypt object replica in the destination bucket.”
however this is incorrect because as per the question, the destination bucket is in ap-northeast-2 not ap-northeast-1. Please update the answer options.