AWS Certified Solutions Architect – Associate (SAA-C03) — Question 882

A healthcare company is developing an AWS Lambda function that publishes notifications to an encrypted Amazon Simple Notification Service (Amazon SNS) topic. The notifications contain protected health information (PHI).

The SNS topic uses AWS Key Management Service (AWS KMS) customer managed keys for encryption. The company must ensure that the application has the necessary permissions to publish messages securely to the SNS topic.

Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. Create a resource policy for the SNS topic that allows the Lambda function to publish messages to the topic.
• B. Use server-side encryption with AWS KMS keys (SSE-KMS) for the SNS topic instead of customer managed keys.
• C. Create a resource policy for the encryption key that the SNS topic uses that has the necessary AWS KMS permissions.
• D. Specify the Lambda function's Amazon Resource Name (ARN) in the SNS topic's resource policy.
• E. Associate an Amazon API Gateway HTTP API with the SNS topic to control access to the topic by using API Gateway resource policies.
• F. Configure a Lambda execution role that has the necessary IAM permissions to use a customer managed key in AWS KMS.

Correct answer: A, C, F

Explanation

To securely publish messages to an encrypted SNS topic, the Lambda function needs permissions granted via both the SNS topic's resource policy and the KMS key policy. Specifically, the SNS topic policy must allow the Lambda function to publish messages, while the KMS customer managed key policy must allow the Lambda execution role to use the key. Finally, the Lambda execution role itself must contain the necessary IAM permissions to interact with the KMS customer managed key.