AWS Certified Security – Specialty — Question 250

A company is developing a mobile shopping web app. The company needs an environment that is configured to encrypt all resources in transit and at rest.
A security engineer must develop a solution that will encrypt traffic in transit to the company's Application Load Balancer and Amazon API Gateway resources.
The solution also must encrypt traffic at rest for Amazon S3 storage.
What should the security engineer do to meet these requirements?

Answer options

• A. Use AWS Certificate Manager (ACM) for encryption in transit. Use AWS Key Management Service for encryption at rest.
• B. Use AWS Certificate Manager (ACM) for encryption in transit and encryption at rest.
• C. Use AWS Key Management Service for encryption in transit. Use AWS Certificate Manager (ACM) for encryption at rest.
• D. Use AWS Key Management Service for encryption in transit and encryption at rest.

Correct answer: A

Explanation

The correct answer, A, is appropriate because AWS Certificate Manager (ACM) is specifically designed for managing SSL/TLS certificates to encrypt data in transit, while AWS Key Management Service (KMS) is used for encrypting data at rest. Options B and C are incorrect as they do not properly assign the roles of ACM and KMS for the specific needs of transit and rest encryption, and option D incorrectly suggests using KMS for both types of encryption.