A hospital must store patient records in an S3 bucket. The compliance team requires that all protected health information (PHI) be encrypted in transit and at rest, and that the compliance team administer the encryption key for data at rest. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Configure default encryption for each S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). Assign the compliance team to manage the KMS keys..
Why this is the answer
The correct solution ensures both in-transit and at-rest encryption with compliance team control. The aws:SecureTransport condition in S3 bucket policies forces all connections to use HTTPS (TLS), encrypting data in transit. Configuring default encryption with SSE-KMS encrypts data at rest. SSE-KMS allows the compliance team to manage the KMS keys, fulfilling the requirement for them to administer the encryption key for data at rest. Incorrect options: Creating a public SSL/TLS certificate in ACM and associating it with S3 is not the standard or most effective way to enforce in-transit encryption for S3; the aws:SecureTransport condition is. SSE-S3 uses S3-managed keys, which does not allow the compliance team to administer the encryption key directly. Amazon Macie is a data discovery and classification service, not an encryption mechanism for data at rest or in transit.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed