AWS Certified Developer – Associate — Question 98

A company has deployed a single-page application on AWS. The application stores assets in an Amazon S3 bucket. The application has an Amazon CloudFront distribution that is configured with the S3 bucket as the origin. Amazon API Gateway APIs access AWS Lambda functions that store information in an Amazon DynamoDB table. The application ingests a payload that includes 20 fields of sensitive data.

Which combination of steps should a developer take to protect the sensitive data through its entire lifecycle in AWS? (Choose two.)

Answer options

• A. Create a Lambda@Edge function to encrypt data when CloudFront processes a client request. Configure the distribution to invoke the Lambda@Edge function when the origin request event occurs.
• B. Generate an AWS Key Management Service (AWS KMS) customer managed key that Lambda@Edge can use.
• C. Create an SSL/TLS certificate in AWS Certificate Manager (ACM). Associate the certificate with the Network Load Balancer.
• D. Set up a Network Load Balancer for API Gateway private integrations.
• E. Store the data in the S3 bucket by using server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Transfer the encrypted data from the S3 bucket to the DynamoDB table.

Correct answer: A, B

Explanation

The correct answers, A and B, involve encrypting the data during its transfer and processing stages using a Lambda@Edge function and a KMS key. This ensures that sensitive data is protected both in transit and at rest. Options C, D, and E do not directly address the encryption of the sensitive data throughout its entire lifecycle as effectively as A and B do.