• .AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. 
• You cannot create an encrypted Read Replica from an unencrypted master DB instance. You also cannot enable encryption after launch time for the master DB instance. That's why we can't enable encryption using Key Management Service (KMS) when creating the cross-region Read Replica.

• You cannot create an encrypted Read Replica from an unencrypted master DB instance. You also cannot enable encryption after launch time for the master DB instance. That's why we can't encrypt a snapshot from the master DB instance, create an encrypted cross-region Read Replica from the snapshot.

.Similar reason as above.

You cannot create an encrypted Read Replica from an unencrypted master DB instance. You also cannot enable encryption after launch time for the master DB instance. Therefore, you must create a new master DB by taking a snapshot of the existing DB, encrypting it, and then creating the new DB from the snapshot. You can then create the encrypted cross-region Read Replica of the master DB.

"Master database is not encrypted" - For this you must create a new master DB by taking a snapshot of the existing DB, encrypting it, and then creating the new DB from the snapshot. You can then create the encrypted cross-region Read Replica of the master DB.

Amazon Kinesis Data Streams collect and process data in real time. A Kinesis data stream is a set of shards. Each shard has a sequence of data records. Each data record has a sequence number hat is assigned by Kinesis Data Streams. A shard is a uniquely identified sequence of data records in a stream.

A partition key is used to group data by shard within a stream. Kinesis Data Streams segregates the data records belonging to a stream into multiple shards. It uses the partition key that is associated with each data record to determine which shard a given data record belongs to.

For this scenario, the solutions architect can use a partition key for each device. This will ensure the records for that device are grouped by shard and the shard will ensure ordering. Amazon S3 is a valid destination for saving data records.

SQS is not the most efficient service for streaming, real-time data.

You cannot save data to EBS from Kinesis.

SQS FIFO queue can

• receive messages in the order they were sent.
• 300 messages/s without batching, 3000 /s with batching

1."in real time" - clearly rules out SQS options as SQS isn't suitable with real-time data.

2."data is saved for future processing." - You cannot save data to EBS from Kinesis.That's only leave us with option A & S3 is suitable storage.

AWS Data Pipeline can be used to automate the movement and transformation of data, it relies on other services to actually transform the data.

The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket. To enable notifications, you must first add a notification configuration that identifies the events you want Amazon S3 to publish and the destinations where you want Amazon S3 to send the notifications. You store this configuration in the notification subresource that is associated with a bucket.

S3 event notifications triggering a Lambda function is completely serverless and cost-effective.

AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics into a data store such as S3.

Kinesis Data Streams is used for processing data, rather than extracting and transforming it. The Kinesis consumers are EC2 instances which are not as cost-effective as serverless solutions.

1."MOST cost-effective" - means we require a serverless solution which clear cut indicate towards Lambda & Glue as both are serverless.

2." transformation should be triggered by an event" - clearly refers to S3 event notifications.

3. "should then be loaded into a target data store" - AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics into a data store such as S3.