AWS Certified Solutions Architect – Associate (SAA-C03) — Question 346

A hospital needs to store patient records in an Amazon S3 bucket. The hospital’s compliance team must ensure that all protected health information (PHI) is encrypted in transit and at rest. The compliance team must administer the encryption key for data at rest.

Which solution will meet these requirements?

Answer options

• A. Create a public SSL/TLS certificate in AWS Certificate Manager (ACM). Associate the certificate with Amazon S3. Configure default encryption for each S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). Assign the compliance team to manage the KMS keys.
• B. Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Configure default encryption for each S3 bucket to use server-side encryption with S3 managed encryption keys (SSE-S3). Assign the compliance team to manage the SSE-S3 keys.
• C. Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Configure default encryption for each S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). Assign the compliance team to manage the KMS keys.
• D. Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Use Amazon Macie to protect the sensitive data that is stored in Amazon S3. Assign the compliance team to manage Macie.

Correct answer: C

Explanation

To secure data in transit, an S3 bucket policy must enforce HTTPS connections using the aws:SecureTransport condition. For encryption at rest, AWS KMS (SSE-KMS) allows the compliance team to create and manage their own customer-managed keys, whereas S3 managed keys (SSE-S3) are fully handled by AWS and do not allow customer administration. Additionally, ACM certificates cannot be directly attached to S3 buckets, and Amazon Macie is a data discovery and security service, not an encryption solution.