AWS Certified Solutions Architect – Associate (SAA-C03) — Question 356

A hospital is designing a new application that gathers symptoms from patients. The hospital has decided to use Amazon Simple Queue Service (Amazon SQS) and Amazon Simple Notification Service (Amazon SNS) in the architecture.

A solutions architect is reviewing the infrastructure design. Data must be encrypted at rest and in transit. Only authorized personnel of the hospital should be able to access the data.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Answer options

• A. Turn on server-side encryption on the SQS components. Update the default key policy to restrict key usage to a set of authorized principals.
• B. Turn on server-side encryption on the SNS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals.
• C. Turn on encryption on the SNS components. Update the default key policy to restrict key usage to a set of authorized principals. Set a condition in the topic policy to allow only encrypted connections over TLS.
• D. Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS.
• E. Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply an IAM policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS.

Correct answer: B, D

Explanation

To secure data at rest and control access using custom-defined permissions, AWS KMS customer managed keys with customized key policies must be used for both Amazon SNS and Amazon SQS, which makes options B and D correct. Furthermore, option D correctly secures data in transit for SQS by enforcing TLS connections through a policy condition using 'aws:SecureTransport'. Option E is incorrect because key access should be controlled via key policies rather than IAM policies alone, and options A and C fail to specify customer managed keys with appropriate transit and access controls.