Which combination of steps will meet these requirements?

By:
In: SAA-C03
Tagged:
With: 1 Comment
A healthcare company is developing an AWS Lambda function that publishes notifications to an encrypted Amazon Simple Notification Service (Amazon SNS) topic.The notifications contain protected health information (PHI).The SNS topic uses AWS Key Management Service (AWS KMS) customer managed keys for encryption.The company must ensure that the application has the necessary permissions to publish messages securely to the SNS topic.

Which combination of steps will meet these requirements?

(Choose three.)

Create a resource policy for the SNS topic that allows the Lambda function to publish messages to the topic.

Use server-side encryption with AWS KMS keys (SSE-KMS) for the SNS topic instead of customer managed keys.

Create a resource policy for the encryption key that the SNS topic uses that has the necessary AWS KMS permissions.

Specify the Lambda function’s Amazon Resource Name (ARN) in the SNS topic’s resource policy.

Associate an Amazon API Gateway HTTP API with the SNS topic to control access to the topic by using API Gateway resource policies.

Configure a Lambda execution role that has the necessary IAM permissions to use a customer managed key in AWS KMS.

Explanations:

A resource policy on the SNS topic is needed to allow the Lambda function to publish messages to the topic. This policy defines the permissions that allow the Lambda function to interact with the SNS topic.

A resource policy for the encryption key (KMS key) is necessary to ensure the Lambda function has the required AWS KMS permissions to use the key for encryption when publishing to the SNS topic.

The Lambda execution role needs IAM permissions for using the AWS KMS customer managed key, as it requires access to the key to encrypt the message before publishing it to the SNS topic.

The requirement specifies the use of customer managed keys for encryption, not AWS KMS’s default keys (SSE-KMS). Using default AWS-managed keys would not meet the specified encryption requirements.

While specifying the Lambda function’s ARN in the SNS topic’s resource policy might seem logical, the key step for ensuring secure publishing is managing KMS permissions and a resource policy on the SNS topic itself, not just the function’s ARN.

API Gateway is not necessary for controlling access to the SNS topic. The SNS topic’s resource policy, combined with the KMS permissions, provides the necessary access controls. API Gateway is irrelevant in this case.

2025-10-23

1 Comment

  1. Joan
    Author

    As far as I can tell, the answer is:
    Create a resource policy for the SNS topic that allows the Lambda function to publish messages to the topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × 3 =