Which combination of steps should the solutions architect take to meet these requirements?

By:
In: SAA-C03
Tagged:
With: 2 Comments
A hospital is designing a new application that gathers symptoms from patients.The hospital has decided to use Amazon Simple Queue Service (Amazon SQS) and Amazon Simple Notification Service (Amazon SNS) in the architecture.A solutions architect is reviewing the infrastructure design.Data must be encrypted at rest and in transit.Only authorized personnel of the hospital should be able to access the data.

Which combination of steps should the solutions architect take to meet these requirements?

(Choose two.)

Turn on server-side encryption on the SQS components. Update the default key policy to restrict key usage to a set of authorized principals.

Turn on server-side encryption on the SNS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals.

Turn on encryption on the SNS components. Update the default key policy to restrict key usage to a set of authorized principals. Set a condition in the topic policy to allow only encrypted connections over TLS.

Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS.

Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply an IAM policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS.

Explanations:

While it’s correct to turn on server-side encryption for SQS, the question requires using an AWS KMS customer managed key. The answer refers to a default key, which does not fully meet the requirement of using a customer-managed key for encryption.

Turning on server-side encryption on SNS using an AWS KMS customer managed key ensures encryption at rest. Applying a key policy to restrict key usage to authorized principals helps enforce access control.

While this option talks about encryption on SNS, it does not mention using a customer managed key for encryption, which is necessary. Additionally, while it includes a topic policy to allow only encrypted connections, the question focuses on using KMS customer managed keys.

Turning on server-side encryption on SQS using an AWS KMS customer managed key ensures encryption at rest. Applying a key policy to restrict key usage and setting a condition to allow only encrypted connections over TLS adds a layer of security for both access and transmission.

While it’s correct to turn on server-side encryption on SQS using a customer-managed KMS key and apply restrictions, IAM policies are not the appropriate method for restricting key usage in this context. Key policies on the KMS key are the correct approach.

2026-03-15

2 Comments

  1. Bradley
    Author

    If memory serves me right, the answer is:
    Turn on server-side encryption on the SNS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals.

  2. Christina
    Author

    I infer that the answer is:
    Turn on server-side encryption on the SNS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals.

Leave a Reply to Christina Cancel reply

Your email address will not be published. Required fields are marked *

4 × five =