AWS Certified Solutions Architect – Professional (SAP-C02) — Question 298

An online survey company runs its application in the AWS Cloud. The application is distributed and consists of microservices that run in an automatically scaled Amazon Elastic Container Service (Amazon ECS) cluster. The ECS cluster is a target for an Application Load Balancer (ALB). The ALB is a custom origin for an Amazon CloudFront distribution.

The company has a survey that contains sensitive data. The sensitive data must be encrypted when it moves through the application. The application's data-handling microservice is the only microservice that should be able to decrypt the data

Which solution will meet these requirements?

Answer options

• A. Create a symmetric AWS Key Management Service (AWS KMS) key that is dedicated to the data-handling microservice. Create a field-level encryption profile and a configuration. Associate the KMS key and the configuration with the CloudFront cache behavior.
• B. Create an RSA key pair that is dedicated to the data-handing microservice. Upload the public key to the CloudFront distribution. Create a field-level encryption profile and a configuration. Add the configuration to the CloudFront cache behavior.
• C. Create a symmetric AWS Key Management Service (AWS KMS) key that is dedicated to the data-handling microservice. Create a Lambda@Edge function. Program the function to use the KMS key to encrypt the sensitive data.
• D. Create an RSA key pair that is dedicated to the data-handling microservice. Create a Lambda@Edge function. Program the function to use the private key of the RSA key pair to encrypt the sensitive data.

Correct answer: B

Explanation

Amazon CloudFront field-level encryption natively secures sensitive data at the edge using public-key cryptography, where you upload a public RSA key to CloudFront to encrypt the data and retain the private key on the decrypting microservice. Options A and C are incorrect because CloudFront field-level encryption does not support symmetric AWS KMS keys for this purpose. Option D is incorrect because encryption must be done using the public key (not the private key), and native CloudFront field-level encryption is more efficient and secure than implementing custom encryption logic within Lambda@Edge.