Which combination of steps should the solutions architect take to meet these requirements?

Explanations:

While turning on server-side encryption on SQS components is correct, the statement does not specify using AWS Key Management Service (AWS KMS) for managing encryption keys, which is necessary to meet security requirements. Additionally, the term “default key policy” is misleading as it should be the key policy of the KMS key.

Enabling server-side encryption on SNS components using an AWS KMS customer-managed key is a good practice. Applying a key policy to restrict usage to authorized principals ensures that only designated personnel can access the encrypted data, satisfying the access control requirements.

The option mentions turning on encryption for SNS components, but it does not specify server-side encryption using AWS KMS, which is essential for key management. Additionally, setting a condition in the topic policy to allow only encrypted connections over TLS does not address encryption at rest.

Enabling server-side encryption on SQS components using AWS KMS customer-managed keys ensures data is encrypted at rest. Applying a key policy to restrict key usage to authorized principals meets the access control requirement, and allowing only encrypted connections over TLS secures data in transit.

While enabling server-side encryption on SQS components using AWS KMS is correct, applying an IAM policy instead of a key policy is inappropriate for managing KMS key usage. Furthermore, the mention of setting a condition in the queue policy to allow only encrypted connections over TLS is irrelevant to encryption at rest.