AWS Certified Developer – Associate (DVA-C02) — Question 327

A company uses Amazon Simple Queue Service (Amazon SQS) to decouple its microservices architecture. Some messages in an SQS queue contain sensitive information. A developer must implement a solution that encrypts all the data at rest.

Which solution will meet this requirement?

Answer options

• A. Enable server-side encryption for the SQS queue by using an SQS managed encryption key (SSE-SQS).
• B. Use the aws:SecureTransport condition in the queue policy to ensure that only HTTPS (TLS) is used for all requests to the SQS queue.
• C. Use AWS Certificate Manager (ACM) to generate an SSL/TLS certificate. Reference the certificate when messages are sent to the queue.
• D. Set a message attribute in the SQS SendMessage request for messages that are sent to the queue. Set the Name to ENCRYPT. Set the Value to TRUE.

Correct answer: A

Explanation

Enabling server-side encryption using SSE-SQS is the standard and built-in way to protect data at rest in SQS queues. Option B enforces encryption in transit rather than encryption at rest. Options C and D are incorrect because SQS does not support referencing AWS Certificate Manager certificates for message encryption, and adding custom message attributes does not trigger native encryption.