AWS Certified Developer – Associate — Question 17

A Development team is working on a case management solution that allows medical claims to be processed and reviewed. Users log in to provide information related to their medical and financial situations.
As part of the application, sensitive documents such as medical records, medical imaging, bank statements, and receipts are uploaded to Amazon S3. All documents must be securely transmitted and stored. All access to the documents must be recorded for auditing.
What is the MOST secure approach?

Answer options

• A. Use S3 default encryption using Advanced Encryption Standard-256 (AES-256) on the destination bucket.
• B. Use Amazon Cognito for authorization and authentication to ensure the security of the application and documents.
• C. Use AWS Lambda to encrypt and decrypt objects as they are placed into the S3 bucket.
• D. Use client-side encryption/decryption with Amazon S3 and AWS KMS.

Correct answer: D

Explanation

The most secure approach is D because client-side encryption ensures that data is encrypted before it is transmitted to S3, protecting it from unauthorized access. While A provides encryption at rest, it does not secure the data during transmission. Option B addresses user authentication but does not specifically tackle document security. Option C suggests using AWS Lambda for encryption, but this could introduce vulnerabilities compared to client-side encryption.