Which combination of steps should the solutions architect take to meet these requirements?

By:
In: SAA-C02
Tagged:
With: 1 Comment
A hospital is designing a new application that gathers symptoms from patients.The hospital has decided to use Amazon Simple Queue Service (Amazon SQS) and Amazon Simple Notification Service (Amazon SNS) in the architecture.A solutions architect is reviewing the infrastructure design.Data must be encrypted at rest and in transit.Only authorized personnel of the hospital should be able to access the data.

Which combination of steps should the solutions architect take to meet these requirements?

(Choose two.)

Turn on server-side encryption on the SQS components. Update the default key policy to restrict key usage to a set of authorized principals.

Turn on server-side encryption on the SNS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals.

Turn on encryption on the SNS components. Update the default key policy to restrict key usage to a set of authorized principals. Set a condition in the topic policy to allow only encrypted connections over TLS.

Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS.

Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply an IAM policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS.

Explanations:

While turning on server-side encryption on SQS components is correct, the statement does not specify using AWS Key Management Service (AWS KMS) for managing encryption keys, which is necessary to meet security requirements. Additionally, the term “default key policy” is misleading as it should be the key policy of the KMS key.

Enabling server-side encryption on SNS components using an AWS KMS customer-managed key is a good practice. Applying a key policy to restrict usage to authorized principals ensures that only designated personnel can access the encrypted data, satisfying the access control requirements.

The option mentions turning on encryption for SNS components, but it does not specify server-side encryption using AWS KMS, which is essential for key management. Additionally, setting a condition in the topic policy to allow only encrypted connections over TLS does not address encryption at rest.

Enabling server-side encryption on SQS components using AWS KMS customer-managed keys ensures data is encrypted at rest. Applying a key policy to restrict key usage to authorized principals meets the access control requirement, and allowing only encrypted connections over TLS secures data in transit.

While enabling server-side encryption on SQS components using AWS KMS is correct, applying an IAM policy instead of a key policy is inappropriate for managing KMS key usage. Furthermore, the mention of setting a condition in the queue policy to allow only encrypted connections over TLS is irrelevant to encryption at rest.

2025-09-29

1 Comment

  1. Jessica
    Author

    I sort that the answer is:
    Turn on server-side encryption on the SNS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals.

Leave a Reply

Your email address will not be published. Required fields are marked *

eight − 5 =