AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 19

An organization processes consumer information submitted through its website. The organization's security policy requires that personally identifiable information
(PII) elements are specifically encrypted at all times and as soon as feasible when received. The front-end Amazon EC2 instances should not have access to decrypted PII. A single service within the production VPC must decrypt the PII by leveraging an IAM role.
Which combination of services will support these requirements? (Choose two.)

Answer options

• A. Amazon Aurora in a private subnet
• B. Amazon CloudFront using AWS Lambda@Edge
• C. Customer-managed MySQL with Transparent Data Encryption
• D. Application Load Balancer using HTTPS listeners and targets
• E. AWS Key Management Services

Correct answer: C, E

Explanation

The correct answers are C and E. Customer-managed MySQL with Transparent Data Encryption (C) ensures that data is encrypted at rest, while AWS Key Management Services (E) provides the necessary encryption keys to decrypt the PII securely. The other options do not offer the same level of control and security for handling PII.