A hospital is designing a new application that gathers symptoms from patients. The hospit…

Question

A hospital is designing a new application that gathers symptoms from patients. The hospital has decided to use Amazon Simple Queue Service (Amazon SQS) and Amazon Simple Notification Service (Amazon SNS) in the architecture.
A solutions architect is reviewing the infrastructure design. Data must be encrypted at rest and in transit. Only authorized personnel of the hospital should be able to access the data.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Accepted Answer

Correct answer: C, D. C. Turn on encryption on the SNS components. Update the default key policy to restrict key usage to a set of authorized principals. Set a condition in the topic policy to allow only encrypted connections over TLS. — D. Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS. — To secure data in transit, both SQS and SNS policies must enforce TLS connections using policy conditions. For encryption at rest and access control, using a customer managed AWS KMS key allows the configuration of a key policy to restrict access to authorized principals. Thus, implementing these controls on SNS (Option C) and SQS (Option D) meets all security requirements, while other options fail to enforce both transit encryption and proper key access controls.

AWS Certified Solutions Architect – Associate (SAA-C02) — Question 704

Answer options

Correct answer: C, D

Explanation