AWS Certified Solutions Architect – Associate (SAA-C03) — Question 35

A company's containerized application runs on an Amazon EC2 instance. The application needs to download security certificates before it can communicate with other business applications. The company wants a highly secure solution to encrypt and decrypt the certificates in near real time. The solution also needs to store data in highly available storage after the data is encrypted.
Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Create AWS Secrets Manager secrets for encrypted certificates. Manually update the certificates as needed. Control access to the data by using fine-grained IAM access.
• B. Create an AWS Lambda function that uses the Python cryptography library to receive and perform encryption operations. Store the function in an Amazon S3 bucket.
• C. Create an AWS Key Management Service (AWS KMS) customer managed key. Allow the EC2 role to use the KMS key for encryption operations. Store the encrypted data on Amazon S3.
• D. Create an AWS Key Management Service (AWS KMS) customer managed key. Allow the EC2 role to use the KMS key for encryption operations. Store the encrypted data on Amazon Elastic Block Store (Amazon EBS) volumes.

Correct answer: C

Explanation

Option C is the best choice because it leverages AWS Key Management Service (AWS KMS) for secure key management and allows the EC2 instance to efficiently encrypt data while storing it in highly available Amazon S3. Option A requires manual updates, which increases operational overhead, while Option B involves additional complexity with AWS Lambda and does not utilize a highly available storage service. Option D, although secure, uses Amazon EBS which is less suitable for highly available access compared to Amazon S3.