A hospital is designing a new application that collects patient symptoms. The design uses Amazon Simple Queue Service (Amazon SQS) and Amazon Simple Notification Service (Amazon SNS). Data must be encrypted at rest and in transit, and only authorized hospital personnel must be able to access the data. Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Turn on server-side encryption on the SNS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals., Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS..
Why this is the answer
The correct options address both encryption at rest and in transit, along with access control. For SQS, enabling server-side encryption with an AWS KMS customer managed key (CMK) encrypts data at rest. Applying a key policy to the CMK restricts key usage to authorized principals, controlling access. Setting a condition in the queue policy to allow only encrypted connections over TLS enforces encryption in transit. Similarly, for SNS, enabling server-side encryption with an AWS KMS CMK encrypts data at rest, and applying a key policy to the CMK restricts key usage to authorized principals. The incorrect options either miss a requirement or use an incorrect method. "Turn on server-side encryption on the SQS components. Update the default key policy..." is insufficient because it doesn't specify using a CMK for SQS, which is needed for fine-grained access control via key policies. "Turn on encryption on the SNS components. Update the default key policy... Set a condition in the topic policy to allow only encrypted connections over TLS" is incorrect because SNS encryption requires a CMK for key policy application, and the option doesn't explicitly state using one. "Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply an IAM policy to restrict key usage..." is incorrect because KMS key usage is controlled
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed