AWS Certified Solutions Architect – Professional (SAP-C02) — Question 475

A company needs to use an AWS Transfer Family SFTP-enabled server with an Amazon S3 bucket to receive updates from a third-party data supplier. The data is encrypted with Pretty Good Privacy (PGP) encryption. The company needs a solution that will automatically decrypt the data after the company receives the data.
A solutions architect will use a Transfer Family managed workflow. The company has created an IAM service role by using an IAM policy that allows access to AWS Secrets Manager and the S3 bucket. The role’s trust relationship allows the transfer amazonaws.com service to assume the role.

What should the solutions architect do next to complete the solution for automatic decryption?

Answer options

• A. Store the PGP public key in Secrets Manager. Add a nominal step in the Transfer Family managed workflow to decrypt files. Configure PGP encryption parameters in the nominal step. Associate the workflow with the Transfer Family server.
• B. Store the PGP private key in Secrets Manager. Add an exception-handling step in the Transfer Family managed workflow to decrypt files. Configure PGP encryption parameters in the exception handler. Associate the workflow with the SFTP user.
• C. Store the PGP private key in Secrets Manager. Add a nominal step in the Transfer Family managed workflow to decrypt files. Configure PGP decryption parameters in the nominal step. Associate the workflow with the Transfer Family server.
• D. Store the PGP public key in Secrets Manager. Add an exception-handling step in the Transfer Family managed workflow to decrypt files. Configure PGP decryption parameters in the exception handler. Associate the workflow with the SFTP user.

Correct answer: C

Explanation

To decrypt data that has been encrypted by a third party using a public key, the receiving organization must use the corresponding PGP private key, which should be stored securely in AWS Secrets Manager. Because decrypting incoming files is a standard processing task, it must be configured as a nominal step in the AWS Transfer Family managed workflow rather than an exception-handling step. Associating this workflow containing the nominal decryption step with the Transfer Family server ensures all incoming files are automatically processed and decrypted.