Your team is planning to use AWS Backup to centralize the backup of various AWS and on-premises services. The backups are required to be separated into different categories and saved in different containers. Each container should have its own AWS Key Management Service (AWS KMS) key to encrypt backups. How would you achieve this requirement?

Answer options:

A.Organize backups into different S3 buckets and enable Server-Side Encryption with SSE-KMS.
B.Organize backups into different AWS Backup vaults with their own KMS keys.
C.Organize backups with different tags and associate a KMS key with each tag.
D.Organize backups with different backup plans and configure a dedicated KMS key for each backup plan.

Correct Answer: B
Option A is incorrect because users cannot organize backups into S3 buckets. AWS Backups use vaults to store the backups.
Option B is CORRECT because users should create several AWS Backup vaults and choose a different KMS key for each vault. Please check the following snapshot on how to create a Backup vault:
Option C is incorrect because users cannot associate KMS keys with tags for AWS Backup. This option is not applicable.
Option D is incorrect because users cannot associate a KMS key when configuring a backup plan.
References:
https://docs.aws.amazon.com/aws-backup/latest/devguide/vaults.html
https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html