AWS Certified Developer – Associate — Question 35

An application running on multiple Amazon EC2 instances pulls messages from a standard Amazon SQS queue. A requirement for the application is that all messages must be encrypted at rest.
Developers are instructed to use methods that allow for centralized key management and minimize possible support requirements whenever possible.
Which of the following solutions supports these requirements?

Answer options

• A. Encrypt individual messages by using client-side encryption with customer managed keys, then write to the SQS queue.
• B. Encrypt individual messages by using SQS Extended Client and the Amazon S3 encryption client.
• C. Create an SQS queue, and encrypt the queue by using server-side encryption with AWS KMS.
• D. Create an SQS queue, and encrypt the queue by using client-side encryption.

Correct answer: C

Explanation

The correct answer is C because it utilizes server-side encryption with AWS KMS, which allows for centralized key management and minimizes support needs. Option A requires client-side management of encryption keys, which increases complexity. Option B involves additional components and may not align with the requirement for centralized key management, while option D also relies on client-side encryption, which is less efficient for key management.