Which of the following solutions supports these requirements?

By:
In: DVA-C01
Tagged:
With: 1 Comment
An application running on multiple Amazon EC2 instances pulls messages from a standard Amazon SQS queue.A requirement for the application is that all messages must be encrypted at rest.Developers are instructed to use methods that allow for centralized key management and minimize possible support requirements whenever possible.

Which of the following solutions supports these requirements?

Encrypt individual messages by using client-side encryption with customer managed keys, then write to the SQS queue.

Encrypt individual messages by using SQS Extended Client and the Amazon S3 encryption client.

Create an SQS queue, and encrypt the queue by using server-side encryption with AWS KMS.

Create an SQS queue, and encrypt the queue by using client-side encryption.

Explanations:

Client-side encryption with customer managed keys requires managing encryption keys manually, which increases support complexity and does not leverage centralized key management.

SQS Extended Client and Amazon S3 encryption client are primarily used for storing large messages in Amazon S3, not for direct encryption of SQS messages in the queue.

Server-side encryption with AWS KMS provides centralized key management and encrypts all messages at rest in SQS, meeting both the encryption and key management requirements.

Client-side encryption requires the application to handle encryption and decryption, adding complexity and failing to leverage centralized key management through AWS KMS.

2025-10-09

1 Comment

  1. Maria
    Author

    I surmise that the answer is:
    Create an SQS queue, and encrypt the queue by using server-side encryption with AWS KMS.

Leave a Reply

Your email address will not be published. Required fields are marked *

two × 3 =